Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Cybersource
v1.0.0CyberSource integration. Manage data, records, and automate workflows. Use when the user wants to interact with CyberSource data.
⭐ 0· 58·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name/description (CyberSource integration) matches the SKILL.md instructions, which rely on the Membrane CLI to manage connections, actions, and proxy requests to CyberSource. However, the registry metadata claims no required binaries while the instructions clearly require the 'membrane' CLI binary (npm package @membranehq/cli). This metadata omission is an inconsistency.
Instruction Scope
SKILL.md stays within the CyberSource integration scope: it instructs creating a Membrane connection, listing actions, running actions, and proxying API requests. The proxy feature can send arbitrary requests to CyberSource through Membrane (and thus the user's connected account), which is expected for this kind of skill but is powerful — the agent could run arbitrary API calls on the user's behalf once a connection exists.
Install Mechanism
There is no install spec in the registry, but SKILL.md tells the user to run 'npm install -g @membranehq/cli'. That is a public npm package install (moderate supply-chain risk). The skill does not declare this requirement in metadata, so the installer/agent won't know the dependency upfront. Users should verify the npm package and its maintainer before installing globally.
Credentials
The skill does not request environment variables or credentials in metadata and instead relies on Membrane's browser-based login flow; this is proportionate to the stated purpose. Be aware that establishing a Membrane connection grants that connection the authority to act against CyberSource on your behalf — check scopes/permissions in the Membrane connection UI.
Persistence & Privilege
The skill does not request 'always: true' or other elevated persistence. It is user-invocable and allows normal autonomous invocation; nothing in the manifest indicates it attempts to modify other skills or system-wide settings.
What to consider before installing
Before installing or using this skill: 1) Confirm the Membrane CLI package (@membranehq/cli) is the official package and review its npm/GitHub repo and maintainers; installing global npm packages has supply-chain risk. 2) Be aware the skill relies on establishing a Membrane connection — that connection can make API calls on your behalf to CyberSource, so review and limit its scopes/permissions. 3) Note the registry metadata omitted the 'membrane' CLI requirement; prefer a skill that declares required binaries or provides an install spec. 4) If you want to reduce risk, run the documented membrane commands manually in an isolated environment (or inspect the CLI code) rather than allowing an automated agent to install/run them. 5) If you need higher assurance, ask the publisher for an install spec, proof of the CLI release (GitHub release link), and explicit description of connection scopes. These steps will reduce supply-chain and authorization surprises.Like a lobster shell, security has layers — review code before you run it.
latestvk97bpawe1x9360804d3kq2r6e184ab20
License
MIT-0
Free to use, modify, and redistribute. No attribution required.