Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Efinder
v1.0.2Efinder integration. Manage Leads, Persons, Organizations, Deals, Projects, Activities and more. Use when the user wants to interact with Efinder data.
⭐ 0· 176·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to integrate 'Efinder' but the human-readable description calls it an SEO tool while the listed actions (verify-email, find-email-by-domain, domain-search) indicate an email/data-enrichment product. The package homepage points to Membrane (getmembrane.com) and repository is the Membrane skills repo — this suggests the skill is a Membrane connector, but the mixed documentation (including an efinder.readthedocs link) is inconsistent and could confuse users about what data will be accessed.
Instruction Scope
SKILL.md contains concrete CLI instructions to install and use the @membranehq/cli, to create connections, run actions, and to proxy arbitrary requests via 'membrane request'. The instructions do not tell the agent to read local files or secrets, and explicitly say not to ask users for API keys, which is good. However, 'membrane request' can be used to send arbitrary proxied API calls using the established connection — that grants broad access to the connected account's API surface and could be misused if a user or agent runs unexpected requests.
Install Mechanism
There is no formal install spec (instruction-only), but SKILL.md instructs the user to run 'npm install -g @membranehq/cli'. The skill metadata does not list 'membrane' (or npm/node) as a required binary. That omission is an inconsistency but not necessarily malicious — it increases the chance the skill will fail silently or prompt the user to install tooling at runtime.
Credentials
The skill declares no required environment variables and recommends using Membrane-managed connections rather than storing API keys locally, which is proportionate. Users should note that creating a Membrane connection delegates authentication to Membrane and grants that connection access to Efinder data — credentials are not exposed in env vars, but the connection is effectively a long-lived credential held by the Membrane service.
Persistence & Privilege
The skill does not request always:true, does not declare any system config paths or persistent privileges, and is user-invocable only. It does rely on the Membrane CLI which (if installed) will store connection state via Membrane's usual login flow, but that's expected for this type of connector.
What to consider before installing
This skill appears to be a Membrane connector for an 'Efinder' service, but the documentation has mixed/contradictory descriptions and does not declare the Membrane CLI dependency. Before installing: 1) Confirm what 'Efinder' actually is and whether the listed actions match the data you expect (email-related vs SEO). 2) Inspect the @membranehq/cli package on npm (publisher, downloads, source) before running npm install -g. 3) Understand that creating a Membrane connection grants the connector access to the target account's API and that 'membrane request' can proxy arbitrary API calls — only grant access to trusted endpoints/accounts. 4) Ask the skill author to fix the inconsistencies (declare 'membrane' as a required binary, correct description/homepage) so you can be confident about scope. If you cannot verify these points, proceed cautiously or do the initial setup in an isolated environment.Like a lobster shell, security has layers — review code before you run it.
latestvk9790s448asdnzpzw7dkastnk9843rsj
License
MIT-0
Free to use, modify, and redistribute. No attribution required.