ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Lumigo

v1.0.0

Lumigo integration. Manage data, records, and automate workflows. Use when the user wants to interact with Lumigo data.

0· 27·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (Lumigo integration) aligns with the instructions: the skill uses Membrane as an intermediary to connect to Lumigo. Requiring a Membrane account and network access is appropriate for this purpose.
Instruction Scope
SKILL.md only instructs use of the Membrane CLI to discover connectors, create a connection, run actions, and proxy requests to Lumigo. Those commands are within the stated scope. Note: the proxy feature (membrane request) can be used to send arbitrary API requests to Lumigo (or other proxied endpoints) — this is expected functionality but means commands could read/write any data the connected account can access.
Install Mechanism
There is no automated install spec; the doc tells the user to install @membranehq/cli via npm -g. That is a reasonable way to get the CLI but installing global npm packages carries the usual supply-chain risk; the skill itself does not attempt to download or run arbitrary remote code on the user's behalf.
Credentials
The skill declares no environment variables, no credentials, and no config paths. It relies on Membrane to handle auth via an interactive login flow, which is proportionate to its function.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and is instruction-only. It does not attempt persistent system-wide changes.
Assessment
This skill is coherent and appears to do what it says: it uses the Membrane CLI to connect to Lumigo and run or proxy API calls. Before installing/using it, verify you trust the @membranehq npm package and the Membrane service (review publisher, package version, and README). Prefer using npx for single commands if you want to avoid a global install. Remember that any membrane connection you create grants the CLI/service the same access your Lumigo account has, and the 'membrane request' proxy can read or modify any data reachable by that connection — don’t run commands that would send sensitive data you don’t intend to share. If you need higher assurance, inspect the Membrane CLI source/release on GitHub and confirm the connector IDs/actions returned match Lumigo documentation.

Like a lobster shell, security has layers — review code before you run it.

latestvk9719zj1gktzeyz60scx34sa4s847cp4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments