ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Fintoio

v1.0.2

Finto.io integration. Manage data, records, and automate workflows. Use when the user wants to interact with Finto.io data.

0· 65·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md describes a Membrane-based integration with Finto.io and the described CLI actions match that purpose. However, the skill metadata declares no required binaries or network requirement while the instructions explicitly require network access, a Membrane account, and running the Membrane CLI—an omission in the declared requirements.
Instruction Scope
Instructions stay within the stated purpose: listing/creating connections, discovering actions, running actions, and proxying requests to Finto.io via Membrane. They do not ask the agent to read arbitrary host files or unrelated credentials. However, the instructions require installing and running an external CLI and performing interactive browser authentication, which is significant operational scope not reflected in the registry metadata.
!
Install Mechanism
There is no install spec in the registry, but the SKILL.md tells operators to run `npm install -g @membranehq/cli` (and suggests using npx). A global npm install modifies the host and will write code to disk. The skill should have declared this dependency (or provided an official install spec). Installing third-party CLI tooling without an explicit install spec is a risk and a mismatch.
Credentials
The skill does not request environment variables or secrets and relies on Membrane to handle authentication via interactive login. That is proportionate to the described purpose. Keep in mind the Membrane service will hold credentials server-side, so trust in that external service is required.
Persistence & Privilege
The skill is not marked always:true and does not request elevated persistent presence. Autonomous invocation is allowed by default (normal) but not combined with other red flags here.
What to consider before installing
This skill appears to be a straightforward Membrane-based Finto.io integration, but exercise caution before installing or running commands it suggests: (1) it omits declaring required tooling—you will need npm/npx and will perform a global `npm install -g` which writes to the host; (2) the CLI will perform network calls and browser-based authentication, so verify you trust the Membrane service (https://getmembrane.com) and its npm package (@membranehq/cli) and inspect the package/repository if possible; (3) avoid installing global packages on sensitive or production hosts—test in a sandbox or container first; (4) if you prefer not to install a CLI, ask for a version of the skill that uses an explicit declarative API integration or a vetted install spec; (5) confirm whether your environment's policies allow interactive browser logins and global npm installs before proceeding.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e8pnfnep52gp64fzdvc9rfs842yy6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments