ClawHub

Logoraisr

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This is a coherent Logoraisr/Membrane integration skill, but users should notice that it requires installing a third-party CLI, logging into Membrane, and can run authenticated Logoraisr API requests.

Before installing, make sure you trust Membrane's CLI and intend to connect your Logoraisr account. Use pre-built actions where possible, and review any write or delete API request before allowing the agent to run it.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI04: Agentic Supply Chain Vulnerabilities
Low
What this means

Installing a global CLI lets that npm package run code on the local machine.

Why it was flagged

The skill depends on installing a third-party CLI from npm, and the registry has no install spec. This is purpose-aligned, but users should trust the package source before installing it globally.

Skill content
npm install -g @membranehq/cli
Recommendation

Install the Membrane CLI only from the expected npm package and keep it updated from trusted sources.

#ASI03: Identity and Privilege Abuse
Low
What this means

The agent can use the connected Membrane/Logoraisr account to access Logoraisr data within that connection's permissions.

Why it was flagged

The skill requires logging into a Membrane account and creating a Logoraisr connection. This is expected for the integration, but it grants delegated access to the connected account.

Skill content
membrane login --tenant
Recommendation

Connect only the intended Logoraisr account and revoke the connection if you no longer want the skill to access it.

#ASI02: Tool Misuse and Exploitation
Medium
What this means

If used carelessly, authenticated API calls could change or delete Logoraisr business data.

Why it was flagged

The skill documents a raw authenticated API proxy to Logoraisr, including methods that can modify or delete data. It is disclosed as a fallback when pre-built actions do not cover the use case.

Skill content
membrane request CONNECTION_ID /path/to/endpoint ... HTTP method (GET, POST, PUT, PATCH, DELETE)
Recommendation

Prefer listed Membrane actions, and require explicit user confirmation before POST, PUT, PATCH, or DELETE requests.