ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Mav

v1.0.0

Mav integration. Manage data, records, and automate workflows. Use when the user wants to interact with Mav data.

0· 51·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (Mav marketing automation) and the SKILL.md's use of the Membrane CLI to talk to a Mav connector are coherent. However, the SKILL.md's 'Official docs' link points to mavsdk.mavlink.io (the MAVLink drone SDK) which is unrelated to marketing automation; that mismatch suggests sloppy composition or copy-paste errors and should be verified with the publisher.
Instruction Scope
Runtime instructions are limited to installing/using the @membranehq/cli and running membrane commands (action list/run, request, connection management). The instructions do not direct the agent to read local files, env vars, or unrelated system data. They do tell users to perform browser-based OAuth flows and to use Membrane's proxy for API requests (which will route requests and auth through Membrane's servers).
Install Mechanism
The skill is instruction-only (no installer), but it tells users to run 'npm install -g @membranehq/cli' (or use npx). Global npm installs are common but modify the host environment. No opaque downloads or custom install archives are recommended, so install risk is moderate and traceable via the public npm package.
Credentials
The skill requests no environment variables or local credentials. It intentionally delegates auth to Membrane, which is proportionate to a connector-based integration — but this means credentials and proxied requests will be handled by Membrane's service rather than stored locally, which has privacy and trust implications.
Persistence & Privilege
The skill does not request always:true or any persistent system-level privileges. It is user-invocable and allows autonomous invocation (platform default), which is expected for skills and not a standalone concern here.
What to consider before installing
Before installing or using this skill: 1) Verify the vendor and repository (the SKILL.md lists getmembrane.com and a membrane GitHub repo — confirm those are legitimate and intended). 2) Confirm the 'Official docs' discrepancy (mavsdk.mavlink.io looks unrelated) — ask the publisher to clarify the correct Mav API docs. 3) Understand that Membrane will proxy API requests and manage credentials server-side — if your data or credentials are sensitive, review Membrane's privacy/security docs and terms. 4) If you install the CLI, prefer using npx for a one-off invocation or inspect the @membranehq/cli package on npm before running a global install. 5) If you need stronger assurance, request a signed skill/package or repository reference from the publisher and sample commands that target the correct Mav API endpoints.

Like a lobster shell, security has layers — review code before you run it.

latestvk9798pg78kg2anjpw7xj4pwnad8499w0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments