ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Dopesecurity

v1.0.2

Dope.security integration. Manage data, records, and automate workflows. Use when the user wants to interact with Dope.security data.

0· 55·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to integrate with Dope.security via Membrane, and the SKILL.md consistently describes using Membrane connectors, actions, and proxy requests — that is coherent. However, the skill metadata lists no required binaries or install spec while the instructions require installing the @membranehq/cli via npm and use npx; this mismatch is unexpected.
Instruction Scope
Instructions remain within the stated integration scope (discover actions, run actions, and proxy requests to Dope.security). They explicitly recommend letting Membrane handle credentials. One thing to note: the proxy capability (membrane request) lets callers send arbitrary HTTP requests via the Membrane connection, which is powerful and could be misused if the agent or connector is compromised.
!
Install Mechanism
This is an instruction-only skill with no formal install spec, yet the SKILL.md tells users to run `npm install -g @membranehq/cli` and uses `npx`. The skill metadata does not declare Node/npm or npx as required binaries. Missing an install spec and failing to declare those dependencies is an inconsistency and increases risk (global npm installs execute third-party code).
Credentials
The skill requests no environment variables and explicitly advises not to collect API keys locally, relying instead on Membrane-managed connections. That is proportionate to the described purpose. It does, however, require a Membrane account and browser-based authentication which you must trust.
Persistence & Privilege
The skill does not request 'always' presence and does not declare any config paths or persistent privileges. Autonomous invocation is allowed by default (normal), but nothing in the skill requests elevated or persistent system privileges.
What to consider before installing
Before installing: verify you trust Membrane (https://getmembrane.com) because the skill proxies requests through Membrane and relies on your Membrane account; Prefer not to run global npm installs blindly—consider using npx or an isolated environment/container and confirm the CLI package and repository are official; be aware the SKILL.md requires Node/npm/npx even though the metadata doesn't declare them; confirm the connector ID and permissions when creating the Dope.security connection (least privilege); if you need higher assurance, ask the publisher for an install spec and signed source repository or run the CLI in a controlled environment.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a2jv5t5cee8rhctmhf18ax1843ath

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments