ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Encore

v1.0.2

Encore integration. Manage data, records, and automate workflows. Use when the user wants to interact with Encore data.

0· 84·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to integrate with Encore via the Membrane platform and the instructions all use the Membrane CLI, which is consistent. However, the SKILL.md contains an out-of-place 'Official docs' link to the Spotify Web API and a few copy/paste-like inconsistencies (mixing descriptions of Encore and Membrane). These are likely documentation mistakes but reduce confidence in authorship/quality.
Instruction Scope
Runtime instructions are limited to installing and using the Membrane CLI, authenticating via web flow, listing/connecting actions, running actions, and proxying requests to Encore through Membrane. The instructions do not ask the agent to read unrelated files, environment variables, or other system state.
Install Mechanism
The registry has no install spec (instruction-only), and SKILL.md instructs users to npm install -g @membranehq/cli or use npx. Installing a global third‑party CLI is a reasonable step for this integration, but it does introduce code from an external package on the user's machine — verify the CLI source and trustworthiness before installing.
Credentials
The skill declares no required environment variables, no config paths, and no credentials. The SKILL.md explicitly advises not to ask users for API keys and to rely on Membrane-managed connections, which is proportionate to the stated purpose.
Persistence & Privilege
The skill does not request always:true, does not include code that would persist on disk, and is instruction-only. Autonomous invocation is enabled by platform default but not combined with other high-risk indicators here.
What to consider before installing
This skill appears to be an instruction-only integration that directs the agent to use the Membrane CLI to talk to Encore. Before installing/using it: 1) Verify the Membrane project and CLI (getmembrane.com and the @membranehq/cli npm package) are trustworthy — review the package source and permissions. 2) Be aware that Membrane will broker auth for you; using it means credentials for Encore are managed by Membrane (server-side), so confirm you trust that service. 3) The SKILL.md has a likely copy/paste error (references Spotify docs); consider checking the linked repository (https://github.com/membranedev/application-skills) for a canonical README. 4) In headless or sensitive environments, avoid installing global CLIs without review. These inconsistencies are probably non-malicious documentation issues, but they justify extra verification before proceeding.

Like a lobster shell, security has layers — review code before you run it.

latestvk971nrmadzb3sh1qc6mjz06ezx8420cs

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments