ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Loopsso

v1.0.2

Loops.so integration. Manage Persons, Organizations, Deals, Activities, Notes, Files and more. Use when the user wants to interact with Loops.so data.

0· 117·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill declares Loops.so integration and all runtime instructions use the Membrane CLI / Membrane proxy to interact with Loops.so. Required capabilities (network + Membrane account) match the stated purpose.
Instruction Scope
SKILL.md only instructs installing and using the Membrane CLI, creating a connection, listing actions, running actions, and proxying requests to Loops.so. It does not ask the agent to read arbitrary local files, environment variables, or send data to unexpected endpoints.
Install Mechanism
The skill is instruction-only (no install spec), but directs users to run `npm install -g @membranehq/cli`. Installing a global npm package runs third-party code and requires write privileges—this is expected for a CLI integration but is a moderate operational risk the user should acknowledge.
Credentials
No environment variables, credentials, or config paths are requested by the skill. Authentication is delegated to Membrane's browser-based login/connection flow, which is proportionate to the integration.
Persistence & Privilege
Skill does not request always:true, does not modify system or other skills, and is not asking for elevated persistent privileges. Autonomous invocation is allowed by default but not combined with other concerning factors.
Assessment
This skill appears internally consistent: it delegates auth and API calls to the Membrane service and instructs using the official @membranehq/cli. Before installing, confirm you trust Membrane (getmembrane.com / the @membranehq npm package and GitHub repo) because Membrane will handle and can see Loops.so credentials and proxied requests. Installing the CLI globally runs third-party code and requires elevated permissions on your machine—consider auditing the package or installing it in a sandbox/container if you prefer. Do not supply unrelated API keys or local secrets to the skill; follow the documented browser-based connection flow.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bnxrskndg5m3kqh7b45mvah842gew

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments