Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Datumbox
v1.0.2Datumbox integration. Manage Organizations, Users, Goals, Filters. Use when the user wants to interact with Datumbox data.
⭐ 0· 99·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill name/short description mentions managing Organizations, Users, Goals, Filters, but the SKILL.md focuses on Datumbox ML models and using the Membrane CLI to create connectors/actions. That mismatch suggests either an inaccurate description or a copied template. Additionally, the runtime instructions require the Membrane CLI, but the skill metadata lists no required binaries — the declared purpose and declared requirements are not fully aligned.
Instruction Scope
The instructions are explicit about using the Membrane CLI (npm @membranehq/cli), logging in (interactive browser flow or headless code exchange), finding connector and connection IDs, and invoking connector actions. The steps are scoped to connecting to Datumbox through Membrane and do not instruct reading arbitrary system files or environment variables beyond the CLI auth flow.
Install Mechanism
This is an instruction-only skill (no install spec). The SKILL.md tells users to install a global npm package (npm install -g @membranehq/cli). Installing a global CLI is a normal approach but does introduce supply-chain considerations (npm package source, global install privileges). There are no downloads from unknown URLs or archive extraction instructions.
Credentials
The skill does not request environment variables or credentials directly in metadata. Authentication is delegated to the Membrane CLI/browser flow. No unexplained SECRET/TOKEN env vars are declared or referenced in the instructions.
Persistence & Privilege
The skill is not marked always:true and does not request persistent system-wide changes. It relies on the Membrane CLI which will manage its own local auth state; the skill itself does not ask to modify other skills or system configuration.
What to consider before installing
What to consider before installing:
- The SKILL.md requires you to install the Membrane CLI (npm install -g @membranehq/cli) and sign in via a browser flow; that CLI will hold your Membrane auth/session and will be able to create connectors that access Datumbox data. Only proceed if you trust @membranehq/cli and understand what permissions the connector will request.
- The visible description in the registry (Organizations/Users/Goals/Filters) does not match the body of the skill (Datumbox ML models + connector usage). This may be a harmless documentation error, but ask the publisher to confirm the intended functionality before granting access.
- Because this is instruction-only and the skill source is listed as "unknown," verify the skill author/owner and the referenced repository (https://github.com/membranedev/application-skills) to ensure it came from a trusted source.
- Installing a global npm package requires elevated rights on some systems; consider testing in an isolated environment or container first.
- Confirm what data the connector can access in Datumbox and limit scope where possible (least privilege). If you want higher assurance, request a version of the skill that declares required binaries and a link to the exact CLI package/release used.
If you want, I can: (1) extract and list the CLI commands the skill will run, (2) formulate questions to ask the publisher to clarify the description mismatch, or (3) suggest safer testing steps (containerized install, inspect npm package).Like a lobster shell, security has layers — review code before you run it.
latestvk9711v4pse44qyr3jxbwdcr4258428sv
License
MIT-0
Free to use, modify, and redistribute. No attribution required.