ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Dashlane

v1.0.2

Dashlane integration. Manage data, records, and automate workflows. Use when the user wants to interact with Dashlane data.

0· 98·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The skill's name/description (Dashlane integration) aligns with the instructions (use Membrane CLI to connect to Dashlane). Minor inconsistency: the registry metadata lists no required binaries or credentials, but the SKILL.md expects a working Node/npm environment and a Membrane account.
Instruction Scope
Instructions are narrowly scoped to installing the Membrane CLI, creating a Membrane connection to Dashlane, listing/running actions, and proxying API requests via Membrane. The only broad action is 'membrane request', which intentionally proxies arbitrary Dashlane API calls — this is expected but means Membrane will see the requests/responses.
Install Mechanism
There is no formal install spec in metadata; the SKILL.md instructs 'npm install -g @membranehq/cli'. That is a public npm package install (moderate risk): it requires global npm/node, writes to disk, and you should verify the package/publisher before installing.
Credentials
The skill requests no environment variables in metadata and claims Membrane handles auth (so no local API keys are needed). However, SKILL.md states a Membrane account is required — this is not declared in the registry fields. No unrelated credentials or file access are requested in the instructions.
Persistence & Privilege
This is an instruction-only skill with no install-time persistence specified and always:false. It does not request elevated or permanent system privileges.
Assessment
Before installing/using: (1) Understand that this skill depends on the third-party Membrane service and CLI — Membrane will broker requests to Dashlane and will see request/response data, so only proceed if you trust that service and review its privacy/terms. (2) The SKILL.md requires npm/node and a Membrane account even though the registry metadata didn't list them — ensure your environment meets these requirements. (3) Verify the @membranehq/cli npm package and its publisher (npm page and GitHub repo) before running a global install, or install in an isolated environment/container. (4) Do not provide unrelated credentials; follow the SKILL.md guidance to create a connection via the CLI/browser flow rather than sharing API keys. (5) If you need higher assurance, ask the publisher for a signed install spec or source link and for clarification about where authentication tokens and proxied data are stored/processed.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f9n9rpr1bv7sxrwekvnvptd84233k

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments