Erxes
v1.0.0Erxes integration. Manage data, records, and automate workflows. Use when the user wants to interact with Erxes data.
⭐ 0· 60·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description (Erxes integration) matches the instructions: it uses the Membrane CLI to discover connectors, create connections, run actions, and proxy API requests to Erxes. Required capabilities and instructions are aligned with the stated purpose.
Instruction Scope
Instructions are limited to installing and using the Membrane CLI, logging in, creating connections, listing actions, running actions, and proxying requests. They do not ask the agent to read unrelated files or environment variables. Important caveat: proxying sends requests (and authentication) through the Membrane service, so data and API calls will traverse a third party; the SKILL.md mentions this but users should verify privacy/trust implications.
Install Mechanism
This is an instruction-only skill (no install spec in the registry), but the doc instructs users to run `npm install -g @membranehq/cli` and uses `npx` in examples. Installing or running packages from the npm registry executes third-party code and `npx` can fetch latest remote code at runtime—this is standard but increases risk if the package or registry were compromised. The registry metadata itself does not perform installs.
Credentials
The skill declares no required environment variables or credentials and explicitly advises not to ask users for API keys, instead using Membrane-managed connections. The requested permissions (browser login via Membrane, creating connections) are proportional to the task. Note that credentials are stored/handled server-side by Membrane, so trust in that service matters.
Persistence & Privilege
The skill does not request permanent/always-on presence and does not modify system or other skills' configs. It is user-invocable and allows autonomous invocation (the platform default) but does not escalate privileges beyond normal operation.
Assessment
This skill appears to do what it says: it uses the Membrane CLI to talk to Erxes and doesn't ask for unrelated secrets. Before installing/using it: (1) Verify you trust the Membrane service (getmembrane.com) because API requests and credential handling go through their servers; (2) Be aware that `npm install -g` and `npx` execute code from the npm registry—review the @membranehq/cli package source and its npm ownership if you are security-conscious; (3) Prefer installing in a sandbox or non-production environment first, and avoid running global installs as root on critical hosts; (4) Confirm organizational policy allows routing customer data through a third party and review Membrane's privacy/security docs; (5) If you need stronger guarantees, consider direct use of Erxes' API with audited client code rather than a proxy. If you want a deeper assessment, provide the Membrane CLI repository/package URL and any network or privacy policy documentation so I can check for additional red flags.Like a lobster shell, security has layers — review code before you run it.
latestvk97ecvp5fg8y1ayszjy07f4t85849p3j
License
MIT-0
Free to use, modify, and redistribute. No attribution required.