ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Fortify

v1.0.2

Fortify integration. Manage data, records, and automate workflows. Use when the user wants to interact with Fortify data.

0· 71·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md describes a Fortify integration that uses the Membrane CLI to manage connections, run actions, and proxy API requests — this matches the stated purpose. However, the registry metadata lists no required binaries or install steps even though the runtime instructions require installing and running the @membranehq/cli (npm) and thus implicitly require npm/node and a network-accessible Membrane account.
Instruction Scope
Instructions stay within the stated purpose: logging into Membrane, creating a Fortify connection, listing/ running actions, and proxying API requests. The document explicitly warns not to collect local secrets and prefers Membrane-managed credentials. It does not instruct reading arbitrary local files or unrelated environment variables.
Install Mechanism
There is no install spec in the registry, but the SKILL.md requires users to run `npm install -g @membranehq/cli`. Installing a global npm package is a moderate-risk operation (network download and write to disk). The install source (npm package @membranehq/cli) is a public registry package — expected for this functionality but requires trusting that package and its authors.
Credentials
No environment variables or credentials are declared in the metadata; the skill relies on a Membrane account and browser-based auth instead of local API keys. That is proportionate for a connector-style integration, but it does require trusting Membrane to handle credentials server-side.
Persistence & Privilege
The skill is not always-enabled, does not request elevated system-wide privileges, and does not modify other skills' configs. It will require installing a CLI binary, but it does not ask for persistent platform-level access beyond the normal operation of Membrane.
What to consider before installing
Before installing: 1) Confirm you trust Membrane/getmembrane.com and the @membranehq/cli npm package (check the package page, changelog, and GitHub repo). 2) Be aware you will install a global npm binary (requires node/npm) that can send proxy requests to Fortify — install in a controlled/sandbox environment first if unsure. 3) The registry metadata omits the install requirement (npm/node) — treat that as an inconsistency and verify prerequisites. 4) Understand that authentication is handled server-side by Membrane; you must trust them with connector credentials. 5) If you need higher assurance, ask the publisher for a provenance link (exact npm package repository, release tag) and for the skill to declare required binaries in metadata. If you cannot verify the upstream project, avoid installing or run it in an isolated environment.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bjxj3n2v51z4jkd0rfxca6x842g70

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments