ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Leap

v1.0.2

Leap integration. Manage Organizations, Pipelines, Projects, Users, Goals, Filters. Use when the user wants to interact with Leap data.

0· 69·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md describes a Membrane-based Leap integration (organizations, pipelines, projects, users) and provides CLI workflows that align with that purpose. However, the 'Popular actions' table lists music/image generation and model-training actions that do not match the Leap/integration description — suggesting copy-paste or mislabeling and reducing confidence that the skill text accurately documents its capabilities.
Instruction Scope
Instructions are limited to installing the Membrane CLI, logging in, creating connections, listing and running actions, and proxying API requests through Membrane. These steps are within the expected scope for an integration skill. Note: the proxy command allows arbitrary requests to the target API via Membrane, so a connected Membrane account effectively grants Membrane access to Leap data (expected behavior for such integrations).
Install Mechanism
There is no packaged install spec for the skill itself; it is instruction-only. It asks users to globally install the official @membranehq/cli from npm (npm install -g), which is a standard, traceable registry install — moderate risk but proportionate for a CLI-based integration.
Credentials
The skill requests no environment variables or credentials and explicitly instructs to let Membrane handle credentials. This is consistent with the described flow and proportionate to the purpose.
Persistence & Privilege
The skill does not request always:true, administrative privileges, or changes to other skills. It relies on the Membrane CLI's normal authentication flow (which will store connection state locally or server-side) — expected for this type of integration.
What to consider before installing
This skill appears to be an instruction-only integration that uses the Membrane CLI to access Leap. Before installing or using it: (1) verify the skill source/author — the registry metadata shows an unknown owner and the SKILL.md contains suspiciously unrelated 'Popular actions' (music/image/model operations), which may be copy-paste noise or misdocumentation; (2) confirm you trust Membrane (https://getmembrane.com) because the CLI + connection grants Membrane access to your Leap account data; (3) if you proceed, install the CLI from the official npm package and perform initial tests in an isolated or low-privilege account to confirm the actions and endpoints match your expectations; (4) ask the skill author to clarify or correct the mismatched action list and to provide a canonical source/manifest for the Leap integration — absence of that clarification keeps the skill in the 'suspicious' category.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bxf29ye1qssf2pabpbgpyj9843nbz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments