ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Homerun

v1.0.0

Homerun integration. Manage data, records, and automate workflows. Use when the user wants to interact with Homerun data.

0· 50·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill declares a Homerun integration and all runtime instructions use the Membrane CLI to connect to Homerun and proxy API requests — this matches the stated purpose. Minor metadata omission: SKILL.md instructs installing @membranehq/cli via npm (so node/npm and a CLI binary are required), but the registry metadata lists no required binaries.
Instruction Scope
SKILL.md confines actions to discovering and running Membrane-provided actions and proxying requests to the Homerun API. It does not instruct reading unrelated files, exfiltrating secrets, or accessing unrelated system paths. Auth is handled via browser-based OAuth flows (or a headless code-complete flow), which limits silent credential capture.
Install Mechanism
There is no automated install spec in the registry (instruction-only). The instructions ask users to install a public npm package (@membranehq/cli) globally — a common pattern but one that depends on trusting that npm package and its publisher. No obscure download URLs or extract-from-unverified-host steps are present.
Credentials
The skill requests no environment variables or local config paths and explicitly instructs not to collect API keys; authentication is delegated to Membrane. The requested access (Homerun via Membrane) is proportionate to the integration's purpose.
Persistence & Privilege
The skill is instruction-only and does not request persistent or elevated agent privileges. always is false and autonomous invocation remains the platform default; the flow requires browser-based user consent to create connections, limiting silent setup.
Assessment
This skill appears to do what it says: it uses the Membrane CLI to connect to Homerun and proxy API calls. Before installing or using it, verify the following: (1) you trust the @membranehq/cli npm package and its publisher (check the npm page and the linked GitHub repository), (2) ensure node/npm are available on the system (the skill metadata omits this requirement), (3) run the CLI and auth flows in a controlled environment if you have sensitive data, and (4) review the permissions granted when creating the Membrane <-> Homerun connection because Membrane will handle API access on your behalf. If you need stronger assurance, inspect the Membrane CLI source and the connector implementation (repository) before granting access.

Like a lobster shell, security has layers — review code before you run it.

latestvk978z9w7jjqte3fzq6j0bpepjd849mrf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments