ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Crove

v1.0.2

Crove integration. Manage Organizations, Users, Goals, Filters. Use when the user wants to interact with Crove data.

0· 119·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md clearly requires the Membrane CLI (membrane) and a Membrane account to access Crove. The registry metadata lists no required binaries or primary credential, which is inconsistent: a user running this skill will need to install and run an external CLI and authenticate to Membrane.
Instruction Scope
Runtime instructions stick to interacting with Membrane to manage Crove data (login, create connections, run actions, proxy requests). They do not instruct reading unrelated system files or exporting secrets elsewhere. The only extra behaviors are browser-based auth flows and use of Membrane's proxy to call Crove APIs, which are expected for this integration.
Install Mechanism
There is no formal install spec in the registry, but SKILL.md tells users to run `npm install -g @membranehq/cli`. Installing a global npm package is a normal approach, but the skill should have declared the dependency; also you should verify the npm package’s authenticity (publisher, package contents) before running a global install.
Credentials
The skill does not request environment variables or credentials in metadata. SKILL.md advises using Membrane-managed connections (no local API keys), which is proportionate. Note: using the CLI will create/retain local auth state for the Membrane account (normal for CLIs).
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It relies on the Membrane CLI and the user's Membrane session; there is no instruction to modify other skills or system-wide agent settings.
What to consider before installing
This skill appears to be a normal Crove integration that uses the Membrane CLI, but the registry metadata failed to list the CLI dependency. Before installing: 1) Confirm you trust the @membranehq/cli npm package (check the publisher, package page, and repo); 2) Be aware you'll need Node/npm and that installing globally modifies your system PATH; 3) Expect the CLI to open a browser for login and to store local auth state; 4) If you prefer not to install a global CLI, ask the skill author to declare the dependency or provide an alternative integration method. If anything about the package origin or Membrane's trustworthiness is unclear, treat this as a potential risk.

Like a lobster shell, security has layers — review code before you run it.

latestvk971f9qc3y5pwzrb1br0gar19d842ffb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments