ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Instatus

v1.0.0

Instatus integration. Manage data, records, and automate workflows. Use when the user wants to interact with Instatus data.

0· 47·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to integrate with Instatus and all runtime instructions use the Membrane CLI and Membrane's proxy to talk to Instatus, which is consistent with the stated purpose. However, the registry metadata lists no required binaries while the SKILL.md explicitly instructs installing `@membranehq/cli` globally — a metadata omission/inconsistency.
Instruction Scope
SKILL.md confines itself to installing and using the Membrane CLI, creating connections, listing actions, running actions, and proxying requests to the Instatus API. It does not instruct reading unrelated local files, exporting environment variables, or exfiltrating data to unexpected endpoints; it instead recommends letting Membrane manage credentials.
!
Install Mechanism
There is no install spec in the registry, but the instructions require `npm install -g @membranehq/cli`. Asking users to run a global npm install is a non-trivial action (postinstall scripts, global binaries) and should be declared in metadata. Prefer using npx or a documented, auditable source. Verify the CLI package on npm/GitHub before installing.
Credentials
The skill declares no environment variables or credentials and the instructions explicitly advise against asking users for API keys, relying on Membrane for auth. Requested access (browser-based login to Membrane and Membrane-managed connections to Instatus) is proportional to the task.
Persistence & Privilege
The skill does not request persistent always-on privileges and contains no steps that modify other skills or system-wide agent settings. Autonomous invocation is allowed (platform default) but not combined with other concerning privileges.
What to consider before installing
This skill appears to be a straightforward Instatus integration that uses the Membrane CLI, but the registry metadata fails to declare the requirement to install that CLI. Before installing or running commands: 1) Inspect the @membranehq/cli package on npm and its GitHub repo (confirm publisher, recent commits, and issues). 2) Prefer using npx (e.g., `npx @membranehq/cli action list ...`) instead of `-g` to avoid a global install. 3) Run the Membrane login flow only if you trust Membrane to manage access to your Instatus account — the login will grant Membrane tokens/permissions to act on your behalf. 4) If you want stronger isolation, test commands from an isolated environment or throwaway account. Finally, ask the publisher/registry to update the skill metadata to declare the required binary/install steps so the requirement is explicit.

Like a lobster shell, security has layers — review code before you run it.

latestvk978ptjrcytmns1rdmyb4ad6qh844bsg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments