Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Keka
v1.0.0Keka integration. Manage data, records, and automate workflows. Use when the user wants to interact with Keka data.
⭐ 0· 35·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description claim a Keka integration to manage data/records (reasonable), and the SKILL.md explains how to use the Membrane CLI to connect to a Keka connector — that matches the stated purpose. However, the SKILL.md also incorrectly describes 'Keka' as a macOS file archiver and links keka.io (likely a copy/paste error). The homepage points to getmembrane.com, not an official Keka API site. These contradictions reduce trust in the skill's authorship and accuracy.
Instruction Scope
Instructions are prescriptive and limited to installing and using the Membrane CLI, creating/using a connector, listing actions, running actions, and proxying API requests through Membrane. They do not ask the agent to read local files or extra environment variables. One important scope note: requests to the Keka API are routed through Membrane's proxy/service (membrane request), which will transmit user data and API calls to Membrane — this is expected for a connector but is a third‑party data flow the user should understand and accept.
Install Mechanism
No formal install spec in the registry; SKILL.md instructs the user to run 'npm install -g @membranehq/cli'. Installing an npm package globally is normal for CLI usage but is a moderately privileged operation (writes to system global bins). This is not inherently malicious but should be verified (package name and publisher) before global install.
Credentials
The skill declares no required environment variables or credentials and instructs the user to rely on Membrane-managed connections (browser-based login). That is proportionate to a Connector-style integration. There is no request for unrelated secrets in the instructions.
Persistence & Privilege
The skill does not request always:true, does not declare system config paths, and has no install-time code files. It relies on the Membrane CLI at runtime but does not request persistent privileges or modify other skills' configurations according to the provided metadata.
What to consider before installing
This skill looks like a Membrane connector for 'Keka', but the SKILL.md contains an obvious copy/paste error (calling Keka a macOS archiver) and points to Membrane as the proxy. Before installing or using it: (1) confirm which 'Keka' product this targets (HR/payroll vs macOS archiver) and that this matches your intent; (2) understand that API calls and data will be routed through Membrane's servers — review Membrane's privacy/security and trust the operator; (3) verify the npm package '@membranehq/cli' publisher before performing a global install; (4) prefer official/known connectors from trusted sources or inspect a repository/source code if available. The inconsistencies are likely sloppy engineering, not proof of malice, but they justify extra caution.Like a lobster shell, security has layers — review code before you run it.
latestvk970xkdyqj1a2jny230x7ryfj584hsv9
License
MIT-0
Free to use, modify, and redistribute. No attribution required.