Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Marvel
v1.0.0Marvel integration. Manage data, records, and automate workflows. Use when the user wants to interact with Marvel data.
⭐ 0· 45·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md describes a Marvel integration via the Membrane CLI which is coherent with the skill name/description and homepage. However the registry metadata declares no required binaries or install steps while the instructions explicitly require Node/npm (global npm install or npx) and the @membranehq/cli package. That omission is an inconsistency (missing declared requirements), though the requested tools themselves are reasonable for the stated purpose.
Instruction Scope
Instructions stay within the domain of Membrane <> Marvel interactions: installing the Membrane CLI, creating connections, listing actions, running actions, and using Membrane's request proxy. The instructions do not ask the agent to read unrelated files or environment variables. Note: the 'membrane request' proxy lets you send arbitrary proxied HTTP requests to the Marvel API, which is expected for this integration but can transmit user data to external services.
Install Mechanism
There is no formal install spec in the registry (instruction-only skill). The SKILL.md recommends installing a public npm package globally or invoking it via npx. Installing or running third-party npm code is a moderate-risk install mechanism (packages are traceable but execute remote code). The skill should have declared these requirements explicitly in metadata; the lack of an install spec is a gap.
Credentials
The skill does not request environment variables or credentials and explicitly recommends letting Membrane handle auth via browser flows rather than asking for API keys. This is proportionate to the stated purpose. The agent will need network access and a Membrane account, which the SKILL.md declares.
Persistence & Privilege
The skill does not request elevated persistence (always:false) and does not declare modifications to other skills or global agent settings. Model invocation is allowed (default), which is expected for skills and not flagged on its own.
What to consider before installing
Things to consider before installing:
- Metadata vs. instructions: the registry metadata omits required tooling, but SKILL.md asks you to install @membranehq/cli via npm or npx. Expect to install Node/npm and run third‑party npm code — verify the package and its source (GitHub/repo) before installing globally.
- Membrane auth flow: the CLI opens a browser for authentication and stores credentials in Membrane; you will not be asked for Marvel API keys locally. If you run this in a headless environment you will need to perform code-based completion flows.
- Proxied requests: the CLI's 'membrane request' can send arbitrary proxied HTTP requests to Marvel. That is necessary for advanced use but means the agent could send data to external APIs — avoid passing sensitive secrets or unrelated data through the skill.
- Risk mitigation: review @membranehq/cli source (repo/release), run npm packages in an isolated environment or container if you're cautious, and validate connector IDs/actions before executing. If you require higher assurance, ask the author/maintainer for an explicit install manifest and for the skill to declare required binaries and network requirements in metadata.
- When to avoid: do not install this into always-on or highly-privileged agents if you cannot verify the npm package and Membrane account policies, and avoid using it with secrets unrelated to Marvel.Like a lobster shell, security has layers — review code before you run it.
latestvk97ffcack9c7faf7d0e9vka9ph84cnmt
License
MIT-0
Free to use, modify, and redistribute. No attribution required.