ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Heartbeat

v1.0.2

Heartbeat integration. Manage Organizations, Users. Use when the user wants to interact with Heartbeat data.

0· 85·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill's stated purpose (Heartbeat integration) matches the instructions (use the Membrane CLI to connect, run actions, and proxy Heartbeat API requests). Minor mismatch: registry metadata lists no required binaries, but the runtime instructions require installing and using the Membrane CLI (npm @membranehq/cli) and thus implicitly require Node/npm and network access.
Instruction Scope
SKILL.md stays on-topic: it instructs the agent to authenticate with Membrane, discover/connect to a Heartbeat connector, run prebuilt actions, or proxy requests via Membrane. It does not ask to read unrelated files or environment variables or to exfiltrate data to unexpected endpoints.
Install Mechanism
There is no formal install spec in the registry (instruction-only), but SKILL.md instructs users to run `npm install -g @membranehq/cli`. Using a public npm package is a common pattern but has moderate risk compared with a reviewed vendor package; the skill itself will not auto-download code at install time according to the registry.
Credentials
The skill requests no environment variables or secrets and explicitly advises letting Membrane handle credentials rather than asking the user for API keys. That is proportionate to its purpose.
Persistence & Privilege
The skill does not request always-on inclusion, does not modify other skills or system-wide config, and does not request elevated persistent privileges.
Assessment
This skill appears to be what it says: a Membrane-based Heartbeat integration. Before installing or following its instructions, verify you trust the Membrane CLI (@membranehq/cli) and its npm package, be aware that installing it globally requires Node/npm and will place a binary on your system, and expect to authenticate via a browser-based OAuth flow. The skill itself does not ask for other credentials; it relies on Membrane to store and manage them. If you need tighter control, review the Membrane project's homepage/repository and the npm package contents before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk974kkk9yxqs9n7p3ya3cr76pn84389b

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments