ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Fountain

v1.0.2

Fountain integration. Manage data, records, and automate workflows. Use when the user wants to interact with Fountain data.

0· 87·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to integrate with a service named 'Fountain' to manage data and workflows and instructs the agent to use Membrane connectors. However, the SKILL.md describes 'Fountain' as screenwriting software (fountain.io), while the integration context (connectors, records, projects) and common use of Membrane suggest it may target a different 'Fountain' (e.g., an ATS/hiring product). This looks like a copy/paste or documentation mismatch and should be clarified.
Instruction Scope
Runtime instructions are limited to installing and using the Membrane CLI, creating connections, listing actions, running actions, and proxying requests through Membrane. The instructions do not ask the agent to read arbitrary local files, environment variables, or to send data to unrelated endpoints. They require network access and browser-based auth flow, which is expected for this type of integration.
Install Mechanism
There is no registry install spec, but the SKILL.md tells users to run 'npm install -g @membranehq/cli'. Requesting a global npm install is reasonable for a CLI-based skill but is not reflected in the declared required binaries (the skill metadata lists none). Installing global npm packages has the usual risks and requires npm/node on the system; verify you trust the package and @membranehq before installing.
Credentials
The skill declares no required environment variables or credentials and explicitly directs users to rely on Membrane-managed connections rather than local API keys. This is proportionate to the described functionality; authentication is handled via Membrane's browser-based workflow (server-side).
Persistence & Privilege
The skill does not request permanent presence (always:false) and is user-invocable. There is no indication it modifies other skills or system-wide settings. Autonomous invocation is allowed (platform default) but does not combine here with other high-risk flags.
What to consider before installing
What to check before installing: - Confirm which 'Fountain' service this skill targets (screenplay format fountain.io vs a different Fountain product such as an ATS). The SKILL.md text looks like a copy/paste error and should be clarified by the publisher. - Installing the Membrane CLI requires 'npm install -g @membranehq/cli' (global npm install). Only proceed if you trust @membranehq and are comfortable installing global npm packages. - Understand that Membrane’s server will handle authentication and proxy requests — Membrane will see the data you send through the connector. Review Membrane’s privacy/security documentation and the connector’s permissions before connecting production accounts. - Because the registry metadata lists no required binaries but the docs require npm/CLI, verify your environment (npm/node) and consider testing with a low-privilege or sandbox account first. - If you need stronger assurance, ask the publisher for confirmation of the intended Fountain target and for a pointer to the exact connector manifest or docs that prove this connector interacts with the expected service.

Like a lobster shell, security has layers — review code before you run it.

latestvk9720xr06vtyab7cfe7t6q9mes843v47

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments