ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Gatherup

v1.0.2

GatherUp integration. Manage Organizations. Use when the user wants to interact with GatherUp data.

0· 87·1 current·1 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description align with the SKILL.md: it operates on GatherUp data via the Membrane CLI. However the skill metadata declares no required binaries while the instructions require npm and the @membranehq/cli to be installed — a minor coherence gap.
Instruction Scope
The runtime instructions stay within the stated purpose: install Membrane CLI, login, create/list connections, run actions, and optionally proxy requests to the GatherUp API. The instructions do not ask the agent to read unrelated files or to collect arbitrary local secrets, and they explicitly advise not to ask users for API keys.
Install Mechanism
There is no formal install spec in the skill bundle; instead SKILL.md tells users to run 'npm install -g @membranehq/cli'. Installing a global npm package is a moderate-risk action (code will be written to disk and run). The package is on the public npm registry (not an arbitrary URL), but users should verify the package and its source before installing globally.
Credentials
The skill declares no required environment variables or credentials and its guidance says Membrane handles auth server-side. That is proportionate to a connector-style integration; there are no unexplained secret requests.
Persistence & Privilege
The skill is not always-enabled, is user-invocable, and does not request any special persistent agent privileges or attempt to modify other skills' configs. Default autonomous invocation is allowed but not in itself concerning here.
What to consider before installing
This skill appears to do what it says: it uses the Membrane CLI to interact with GatherUp and does not request API keys. Before installing, note that SKILL.md asks you to run a global npm install (npm install -g @membranehq/cli). Installing global npm packages runs third-party code on your machine — verify the npm package and repository (https://github.com/membranedev/application-skills / https://getmembrane.com) and consider installing in a controlled environment if you’re unsure. Also ensure you’re comfortable granting the agent network access and a Membrane account (logins open a browser flow). The metadata omission of required binaries (npm/membrane) is a minor inconsistency but not itself indicative of malicious behavior.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ejr1y6q31rqqtekbney6zmh842335

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments