ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Deepseek

v1.0.2

DeepSeek integration. Manage Organizations. Use when the user wants to interact with DeepSeek data.

0· 126·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The description (DeepSeek integration) matches the instructions (use Membrane CLI to connect and run DeepSeek actions). However, the skill metadata lists no required binaries while the runtime instructions assume npm and a 'membrane' CLI are available/installed — a metadata mismatch that should be corrected.
Instruction Scope
SKILL.md stays within the stated purpose (discover/connect/run actions and proxy DeepSeek API calls). It does instruct installing a global CLI and running commands that could be used to send arbitrary proxied requests to DeepSeek via 'membrane request' — a legitimate feature, but one that can access arbitrary endpoints within the connected account.
Install Mechanism
No install spec is included in the skill bundle (instruction-only). The instructions tell the user to run 'npm install -g @membranehq/cli' (npm registry). Installing a global npm package is a normal way to get the CLI but has moderate risk compared to no install; the skill metadata should declare this dependency.
Credentials
The skill requests no environment variables or secrets and explicitly advises using Membrane's browser-based auth rather than local API keys. This is proportionate to the stated purpose.
Persistence & Privilege
The skill does not request always-on or special privileges. The only persistence/privilege implication is the suggested global installation of the Membrane CLI, which writes to the host environment — this is performed by the user and not embedded in the skill, but should be considered.
What to consider before installing
This skill appears to be a Membrane-based connector for DeepSeek and is generally coherent, but double-check before installing: (1) the SKILL.md assumes you have npm and will install a global package — verify you trust the @membranehq/cli package on npm and prefer installing it in a controlled environment (container or VM) if unsure; (2) the skill can proxy arbitrary API requests via 'membrane request' — only grant connections to services/accounts you trust and review the connection scope/permissions during OAuth; (3) ask the publisher to update the skill metadata to declare required binaries (npm, membrane) and any expected permissions to remove the current mismatch. If you want higher assurance, request a signed release or an install spec that pins a vetted package version.

Like a lobster shell, security has layers — review code before you run it.

latestvk978y6wefb0mcg0jr26enhjvfs842pd2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments