ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Leadoku

v1.0.2

Leadoku integration. Manage Leads, Persons, Organizations, Deals, Pipelines, Users and more. Use when the user wants to interact with Leadoku data.

0· 66·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md describes a Leadoku integration implemented via the Membrane CLI which is coherent. However, the 'Official docs' link points to HubSpot developer docs (developers.hubspot.com), which is a likely copy/paste error or mislabeling and raises doubt about the author's care or intent.
!
Instruction Scope
The instructions tell the user to install and use the @membranehq/cli and to run commands that proxy API requests via Membrane (membrane request). That means API calls and payloads will be routed through Membrane's services — expected for this approach but important because user data sent to Leadoku will transit a third party. The instructions do not ask for unrelated local files or env vars.
Install Mechanism
The skill is instruction-only but recommends installing @membranehq/cli via npm -g. This is a public npm package (moderate risk): global npm installs run third‑party code with elevated filesystem impact. No direct downloads from unknown URLs or archive extracts are used.
Credentials
The skill declares no required env vars, which matches the package metadata. At runtime the user must sign into a Membrane account (interactive login) — credentials are not requested as env vars but will be used by the Membrane service. This is proportionate to the described functionality, but the skill relies on remote custody of credentials by Membrane (server‑side auth).
Persistence & Privilege
The skill is not always-enabled and is user-invocable; it does not request persistent platform privileges. There is no install spec that modifies other skills or global agent settings beyond installing a CLI via npm if the user chooses to.
What to consider before installing
This skill appears to be a Membrane-based connector for Leadoku, but you should: (1) verify the npm package (@membranehq/cli) and the publisher on npm/GitHub before running a global install; (2) be aware that requests and data will be proxied through Membrane’s servers (getmembrane.com) — don't send highly sensitive data unless you trust that service and have reviewed its privacy/security terms; (3) investigate the strange 'Official docs' HubSpot link (could be a harmless copy/paste, but it reduces confidence); (4) test the workflow in a non‑production environment first; and (5) prefer installing CLI tools in isolated environments (container or VM) rather than system-wide if you are uncertain.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ds6bf1fc1xt0y0n00jshp5n842ysy

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments