ClawHub

Demandware

v1.0.2

Demandware integration. Manage data, records, and automate workflows. Use when the user wants to interact with Demandware data.

0· 100·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description say 'Demandware integration' and the SKILL.md exclusively describes using the Membrane CLI to connect to Demandware (Salesforce Commerce Cloud). No unrelated credentials, binaries, or config paths are requested.
Instruction Scope
Runtime instructions are limited to installing/using the Membrane CLI, logging in, creating/listing connections, running actions, and optionally proxying API requests. These steps are within the described scope. Note: the instructions ask the user to perform authentication via browser/console and to rely on Membrane's server-side credential handling — this requires trusting Membrane with access to the target service's tokens.
Install Mechanism
There is no platform install spec in the registry (instruction-only skill). The SKILL.md recommends installing the @membranehq/cli via npm (global install) or using npx. This is a standard, traceable registry install (npm) but it does change the host environment (global npm install) and pulls code from the npm registry — consider using npx to avoid global installs or verify the package on npm before installing.
Credentials
The skill requests no environment variables, no local credentials, and explicitly advises against asking users for API keys. The approach is proportional: Membrane handles auth server-side and the skill does not demand additional secrets.
Persistence & Privilege
always:false and user-invocable:true. The skill does not request persistent system-wide changes to agent configuration or other skills. The default ability for the agent to invoke the skill autonomously is unchanged (normal platform behavior).
Scan Findings in Context
[no_regex_findings] expected: The static scanner found no matches because this is an instruction-only skill with no code files; that's expected. The primary security surface is the SKILL.md content.
Assessment
This skill delegates all Demandware work to the Membrane service/CLI. Before installing or running it: (1) Verify you trust Membrane (check the @membranehq/cli package on npm, the getmembrane.com homepage, and the referenced GitHub repo). (2) Prefer using npx @membranehq/cli@latest instead of npm -g to avoid global installs, or install in a controlled environment/container. (3) Understand that Membrane will hold and use OAuth/API credentials server-side to access your Demandware instance — ensure this is acceptable for your data/privacy/compliance needs. (4) Because the skill is instruction-only, review the exact CLI commands you’ll run before executing them. If you need higher assurance, test in a non-production environment and confirm the npm package signature/source first.

Like a lobster shell, security has layers — review code before you run it.

latestvk9791tp10tge8fw0f0zq60wp25843mbw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments