ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Expedy

v1.0.2

Expedy integration. Manage Organizations, Pipelines, Users, Filters. Use when the user wants to interact with Expedy data.

0· 114·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to integrate Expedy (a travel & expense SaaS) via Membrane, which matches the SKILL.md guidance to use the @membranehq/cli. However, the 'Popular actions' table lists USB/print/device-management actions (create-usb-print-job, scan-usb-devices, reboot-device, etc.) that do not fit a travel/expense product—this mismatch suggests copy/paste errors or incorrect documentation about what the connector actually exposes.
Instruction Scope
Runtime instructions are concrete and limited to installing and using the Membrane CLI, creating connections, listing and running actions, and proxying requests. They do not instruct reading arbitrary local files, accessing unrelated env vars, or exfiltrating data. The browser-based login and headless flow are standard for OAuth style flows.
Install Mechanism
There is no automated install spec (instruction-only), but the doc tells users to run 'npm install -g @membranehq/cli'. Asking users to install a public npm CLI is reasonable, but global npm installs affect the local environment—users should vet the package and its source before installing.
Credentials
The skill requests no environment variables or credentials and explicitly advises letting Membrane manage auth. That is proportionate for a connector operated through a third-party CLI/service.
Persistence & Privilege
always is false and there is no install that writes files or modifies other skills. The skill is instruction-only and does not request persistent elevated privileges.
What to consider before installing
This skill largely just tells the agent to use the Membrane CLI to talk to Expedy, which is reasonable — but the action list in the documentation contains many device/printing actions that don't match Expedy's stated purpose. Before installing or using it: (1) verify with the publisher/source that this skill actually targets Expedy and that the listed actions are correct, (2) inspect the Membrane connector in your Membrane account (run the listed discovery commands in a safe/test account) to confirm available actions and action IDs, (3) avoid installing npm packages without checking the package repository and maintainers, and (4) test any impactful actions in a non-production environment. The mismatch looks like documentation or packaging sloppiness rather than proven maliciousness, but treat it as a red flag until clarified.

Like a lobster shell, security has layers — review code before you run it.

latestvk97as05xa08203j1zfmmrqjf5s842f0s

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments