ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Customerio

v1.0.0

Customer.io integration. Manage data, records, and automate workflows. Use when the user wants to interact with Customer.io data.

0· 49·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill's name and description (Customer.io integration) align with the runtime instructions which exclusively show how to use the Membrane CLI to connect to Customer.io, discover actions, run them, or proxy raw API requests. Nothing in the SKILL.md asks for unrelated infrastructure or credentials.
Instruction Scope
All instructions are limited to installing/using the Membrane CLI, performing Membrane login/connection flows, listing actions/connections, running actions, and proxying requests to the Customer.io API. The docs explicitly discourage asking users for API keys and do not instruct reading unrelated files or environment variables.
Install Mechanism
The skill is instruction-only (no install spec), but it instructs installing @membranehq/cli via npm (globally) or using npx. Installing an npm CLI is a normal step for this use case; it does carry the usual risk of running third-party code locally, so users should verify the package and source before installing.
Credentials
No environment variables, config paths, or credentials are requested by the skill. The SKILL.md relies on Membrane to manage auth server-side and explicitly advises not to request Customer.io API keys from the user — this is proportionate to the stated integration task.
Persistence & Privilege
Flags show no forced persistence (always: false) and model invocation is normal. The skill does not request to modify other skills or system-wide agent settings. There is no attempt to create long-term agent privileges.
Assessment
This skill is coherent and uses the Membrane CLI to handle auth and proxy requests to Customer.io. Before installing or running it: (1) verify you trust Membrane (@membranehq) — check the npm package page and the repository/homepage; (2) prefer using npx for one-off runs if you don't want a global install; (3) understand that Membrane's server will mediate requests and thus will see proxied data and hold credentials — review their privacy/terms; (4) do not paste Customer.io API keys into chat or tools; follow the recommended browser-based connection flow. If you need higher assurance, inspect the @membranehq/cli source code or run it in an isolated environment first.

Like a lobster shell, security has layers — review code before you run it.

latestvk9791q3trx474phys5g5a7yxf584avza

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments