ClawHub

Helloleads

v1.0.2

HelloLeads integration. Manage Leads, Persons, Organizations, Deals, Activities, Notes and more. Use when the user wants to interact with HelloLeads data.

0· 77·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The skill claims to integrate with HelloLeads and all runtime instructions show use of the Membrane CLI to discover connectors, create connections, run actions, and proxy API requests — this aligns with the stated purpose. Minor inconsistency: the SKILL.md documents that credentials are stored at ~/.membrane/credentials.json but the skill metadata did not declare any required config path.
Instruction Scope
Instructions are narrowly focused on using the Membrane CLI to authenticate, discover connectors, run actions, and proxy requests. Two things to be aware of: (1) the CLI stores credentials in ~/.membrane/credentials.json (the skill instructs the agent to rely on that file indirectly), and (2) the proxy command allows passing a full URL (not just HelloLeads paths), which could be used to contact arbitrary endpoints through Membrane if misused.
Install Mechanism
The skill is instruction-only (no install spec) but relies on running npx @membranehq/cli@latest. npx executes a package fetched from the npm registry at runtime — this is common but means remote code will be run on-demand. There is no bundled code to audit in the skill itself.
Credentials
No environment variables or secrets are requested by the skill itself; authentication is delegated to Membrane and performed via a browser flow. This is proportionate to the described functionality. As noted, credentials are stored in a local file (~/.membrane/credentials.json), which the SKILL.md references but which was not listed in the metadata's required config paths.
Persistence & Privilege
The skill does not request permanent inclusion (always: false) and does not request elevated platform privileges. The Membrane CLI will write credentials to the user's home directory (~/.membrane/credentials.json) as part of normal operation — this is expected, but users should be aware credentials are persisted locally by the CLI.
Assessment
This skill appears to do what it says: it uses the Membrane CLI to interact with HelloLeads. Before installing or running it, consider the following: (1) npx @membranehq/cli@latest will fetch and execute code from npm each time — ensure you trust the @membranehq package and the npm registry. (2) The CLI stores credentials in ~/.membrane/credentials.json; check and control access to that file if you handle sensitive data. (3) The proxy command can accept full URLs, so avoid sending sensitive data to untrusted endpoints through the proxy. If you're comfortable trusting Membrane and you expect to authenticate via browser flow, the skill is proportionate to its purpose. If you need higher assurance, review the Membrane CLI source and verify the package publisher before use.

Like a lobster shell, security has layers — review code before you run it.

latestvk97d226t0e667anmtn58j1k9cx843yh2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments