ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Livekit

v1.0.0

LiveKit integration. Manage data, records, and automate workflows. Use when the user wants to interact with LiveKit data.

0· 47·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description indicate LiveKit integration and the instructions exclusively use the Membrane CLI and Membrane-hosted connectors to access LiveKit. Required capabilities (network access, Membrane account) are appropriate and expected for this purpose.
Instruction Scope
SKILL.md instructs the agent/operator to install the Membrane CLI, perform browser-based login, create connections, list actions, run actions, and proxy raw requests to LiveKit through Membrane. It does not ask the agent to read unrelated files, access unrelated environment variables, or exfiltrate data outside of Membrane/LiveKit. The scope stays within LiveKit integration via Membrane.
Install Mechanism
There is no packaged install spec, but the runtime instructions direct the operator to run `npm install -g @membranehq/cli` and use `npx ...@latest` — this causes network downloads and global package installation. Using npm/npx is traceable but still an action that writes to the system and pulls remote code; prefer verifying the package/source and optionally using a pinned version or local/npx invocation instead of global install.
Credentials
The skill declares no environment variables, no credentials, and delegates auth to Membrane (browser login flow). Requesting a Membrane account and network access is proportional. There are no unrelated credential requests.
Persistence & Privilege
The skill does not request permanent presence (always:false) and does not modify other skills or system-wide agent settings. The only persistent side-effect recommended by SKILL.md is installing a global npm CLI, which is a system-level change the user should consent to.
Assessment
This skill appears to do what it says: control LiveKit via the Membrane CLI. Before installing/using it: 1) Verify the @membranehq/cli npm package is the official package you expect (check npm page and repository links). 2) Prefer using npx with a pinned version rather than `-g` and `@latest` if you want reproducibility. 3) Understand that auth happens via a browser-based login to Membrane — you are delegating LiveKit credentials management to Membrane, so review Membrane's privacy/terms. 4) If you cannot or prefer not to install an npm package globally, run the CLI temporarily via npx or use an isolated environment. If you need higher assurance, ask the skill publisher for source code or a signed release to audit.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bgt7x6rb2fka22x01sjsvqn84cmtq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments