ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Enrow

v1.0.2

Enrow integration. Manage Organizations, Pipelines, Users, Goals, Filters. Use when the user wants to interact with Enrow data.

0· 67·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill claims to be an 'Enrow' integration, but the SKILL.md primarily documents generic Membrane CLI usage. The 'Popular actions' list references phone/email verification and search actions (contact-data style) which do not align with Enrow's energy-management domain. The homepage and repository metadata point to Membrane (getmembrane.com and github.com/membranedev), not an Enrow-specific source. This mismatch suggests the skill may be a template or mislabelled and may not actually implement Enrow-specific actions.
Instruction Scope
Instructions are limited to installing and using the Membrane CLI, creating a connection, listing and running actions, and proxying requests through Membrane. These steps are within the stated mechanism (Membrane) and do not instruct reading unrelated files or environment variables. However, the ability to proxy arbitrary HTTP requests via 'membrane request CONNECTION_ID /path' is powerful — it can be used to send arbitrary data to the target API, so you should confirm which endpoints/actions will be used and that they truly map to Enrow.
Install Mechanism
There is no platform install spec in the registry (instruction-only), but the SKILL.md instructs the user to run 'npm install -g @membranehq/cli'. Installing a global npm package is a normal user action; the package comes from the public npm registry. Recommend verifying the npm package owner and integrity (publisher, version) before running a global install.
Credentials
The skill declares no required environment variables and explicitly advises not to ask users for API keys (Membrane handles auth). It does require a Membrane account and network access, which is proportionate. No unexpected credential requests are present in the SKILL.md.
Persistence & Privilege
The skill does not request persistent presence (always:false) and does not modify other skills or system-wide settings. It relies on user-invoked Membrane CLI commands and browser-based auth flows.
What to consider before installing
This skill appears to be a generic Membrane-CLI integration but is labeled 'Enrow' while listing actions that look like phone/email lookup features — that mismatch is suspicious. Before installing or using it: 1) Confirm with the skill author or documentation that there is a real Enrow connector and obtain its connector/connection IDs. 2) Verify that the actions you will run actually correspond to Enrow APIs (not a different service). 3) Inspect and validate the @membranehq/cli npm package (publisher, version, checksums) before doing a global install. 4) Test any commands in a safe, non-production environment and avoid sending sensitive data until you confirm the connector and endpoints. If you cannot verify the connector maps to Enrow, treat this skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk972nx1rnrxax72pdftvc22nvs843a3a

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments