ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Happyfox Chat

v1.0.2

HappyFox Chat integration. Manage Chats, Agents, Visitors, Departments, Reports, Integrations. Use when the user wants to interact with HappyFox Chat data.

0· 164·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to integrate with HappyFox Chat and its instructions consistently use Membrane to do so. However the registry metadata declares no required binaries or install steps while the SKILL.md explicitly requires the 'membrane' CLI (npm install -g @membranehq/cli). The omission in metadata is an inconsistency that should have been declared.
Instruction Scope
All runtime steps in SKILL.md stay within the stated purpose: listing actions, creating connections, running actions, and proxying requests to the HappyFox Chat API via Membrane. The instructions do not ask the agent to read unrelated files or environment variables. They do instruct an interactive browser login and a headless completion flow (copying a URL/code).
!
Install Mechanism
There is no install spec in the registry, yet the SKILL.md instructs installing a global npm package (@membranehq/cli). Installing a third‑party CLI via npm is a moderate-risk operation and should have been declared in install metadata. The absence of an explicit, vetted install mechanism increases risk (e.g., you should verify the npm package identity and trustworthiness before installing).
!
Credentials
The skill declares no required environment variables or credentials, but it delegates authentication to Membrane. That means a third party (Membrane) will manage and likely store HappyFox credentials/tokens and will see proxied API requests. This is proportionate to the integration's functionality—but it is a privacy/trust decision the user must make; the SKILL.md does not explain where credentials are stored, the trust model, or data retention.
Persistence & Privilege
The skill is instruction-only, requests no special persistent presence (always is false), and does not modify other skills or system-wide configs. It does rely on an external service for token refresh but does not request elevated platform privileges.
What to consider before installing
This skill delegates HappyFox Chat access to the Membrane service and instructs you to install the @membranehq/cli via npm. Before installing or using it: (1) verify the npm package (@membranehq/cli) and the repository/homepage are legitimate; (2) be aware that Membrane will mediate and likely store your HappyFox credentials — review their privacy/security docs and trust model; (3) prefer installing in an isolated environment (container/VM) rather than globally on a production machine; (4) note the registry metadata omitted the CLI install requirement — treat that as a minor red flag and confirm expected requirements with the publisher if you need higher assurance.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dg4hefx9fenddr4jt4j48ts843295

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments