Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Genderize
v1.0.2Genderize integration. Manage data, records, and automate workflows. Use when the user wants to interact with Genderize data.
⭐ 0· 83·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill describes a Genderize integration and all runtime instructions use the Membrane CLI and Membrane-hosted connections — that is consistent with the stated purpose. However, the registry metadata lists no required binaries while SKILL.md explicitly requires installing the @membranehq/cli; the skill should declare the CLI as a required binary/dependency.
Instruction Scope
SKILL.md is focused on installing and using the Membrane CLI to create connections, list actions, run actions, and proxy requests to Genderize. It does not instruct reading unrelated files or exfiltrating data, but it does rely on Membrane's server-side handling of credentials (i.e., Membrane will see proxied requests and auth tokens).
Install Mechanism
There is no formal install spec in the registry, but the instructions tell users to run `npm install -g @membranehq/cli` (a public npm package). Using a public npm package is common but has moderate risk; the skill should have declared this dependency in its metadata so users can review it before running global installs.
Credentials
No environment variables or credentials are requested by the skill itself; SKILL.md explicitly advises against asking users for API keys and instead to create a Membrane connection. This is proportionate. Note that creating a connection means Membrane will hold the external service credentials.
Persistence & Privilege
The skill is not always-enabled and does not request elevated or persistent platform privileges. It is instruction-only and does not modify other skills or global agent config in the instructions.
What to consider before installing
This skill appears to be a straightforward integration that uses the Membrane CLI to talk to Genderize, but there are a few things to check before you install:
- The SKILL.md requires the @membranehq/cli (global npm install) but the registry metadata does not declare this required binary. Verify the CLI package (@membranehq/cli) on the npm registry and review its source before running a global install.
- Installing npm packages globally may require admin privileges and will put binaries on your PATH. Consider installing in a controlled environment or container if you want to limit effects on your system.
- The workflow uses Membrane to proxy requests and manage credentials; that means Membrane (their servers) will see the tokens/requests to Genderize. Confirm you are comfortable with that data flow and review Membrane's privacy/security documentation.
- The skill is instruction-only and will not automatically run code, but following the instructions will create credentials/connections in Membrane — treat those connections like any other service credential.
- If you need to use Genderize with sensitive or regulated datasets (names that could be sensitive), consider privacy and compliance implications of sending that data to an external service.
If you want to proceed, first inspect the @membranehq/cli package (source repo, maintainers, recent releases) and ensure the Membrane tenant/account you connect to is trusted.Like a lobster shell, security has layers — review code before you run it.
latestvk97etzk6vy6hqb4pgp7p8p6889843ve6
License
MIT-0
Free to use, modify, and redistribute. No attribution required.