ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Engagebay

v1.0.2

EngageBay integration. Manage Persons, Organizations, Deals, Leads, Projects, Activities and more. Use when the user wants to interact with EngageBay data.

0· 98·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (EngageBay integration) matches the instructions: all operations are routed through the Membrane CLI/proxy to interact with EngageBay resources. Required capabilities (network access, Membrane account, Membrane CLI) are proportional to the stated purpose.
Instruction Scope
SKILL.md stays on-topic (login, create connection, list/run actions, proxy requests). It does permit arbitrary proxied requests via Membrane (membrane request CONNECTION_ID /path), which is expected for full API coverage but means request bodies/responses will transit Membrane servers — the doc does not instruct reading unrelated files or environment variables.
Install Mechanism
No automated install spec in the registry; the doc instructs a global npm install of @membranehq/cli. This is a typical approach for a CLI, but installing a global npm package executes third-party code on the host — verify the package and publisher before installing on sensitive systems.
Credentials
The skill requires no local environment variables or secrets and explicitly advises against asking users for API keys (it uses Membrane to manage auth). This is proportionate to the integration's design.
Persistence & Privilege
always is false and there is no code written by the skill to persist or modify other agent configurations. The skill does require the user to install a CLI, but it does not request system-wide privileges beyond that expected for a CLI tool.
Assessment
This skill appears coherent and uses Membrane as a proxy for EngageBay, so: (1) verify and trust the @membranehq/cli npm package and the Membrane service before installing, especially on production or sensitive hosts; (2) understand that API requests and returned data (potentially PII) will transit Membrane servers — confirm this is acceptable under your privacy/security policy; (3) global npm installs run code on your machine — consider auditing the package or running in an isolated environment if you're unsure; (4) the skill does not request local credentials (good), but if you prefer to avoid any third-party proxying, use the EngageBay API directly with your own credentials instead.

Like a lobster shell, security has layers — review code before you run it.

latestvk97076z0m6tc43eq8pxepw8y7d8439ma

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments