ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Merge 1

v1.0.0

Merge integration. Manage data, records, and automate workflows. Use when the user wants to interact with Merge data.

0· 26·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (Merge integration) match the instructions: the SKILL.md consistently describes using the Membrane CLI to connect to Merge, discover actions, run actions, and proxy raw API requests. No unrelated services or credentials are requested.
Instruction Scope
The instructions tell the agent/user to install and run the @membranehq/cli, perform an interactive browser login or headless flow, list/connect connections, run actions, and proxy requests. These are in-scope for a Merge integration. Minor inconsistency: the doc shows both a global npm install and an npx usage (npx@latest) — functionally fine but inconsistent.
Install Mechanism
There is no formal install spec in the registry (skill is instruction-only) but the SKILL.md instructs running npm install -g @membranehq/cli (or using npx). Installing a global npm package runs third-party code from the npm registry — expected for a CLI but a point to review (you may prefer npx or auditing the package first).
Credentials
No environment variables, config paths, or credentials are requested by the skill. The doc explicitly advises against asking users for API keys and uses Membrane to manage auth server-side, which is proportionate to the stated purpose.
Persistence & Privilege
always is false and the skill is user-invocable. It does not request permanent presence or system-wide config changes. No evidence it would modify other skills or system settings.
Assessment
This skill appears coherent: it instructs the agent to use the Membrane CLI to manage Merge connections and run actions, and it does not request secrets or unrelated access. Before installing/using it, consider: (1) you will need network access and a Membrane account and will perform an interactive login in a browser (or use a headless flow), (2) the SKILL.md asks you to install a global npm package — installing third-party CLIs executes code from the npm registry, so review the @membranehq package or prefer using npx to avoid a global install, (3) trust in the Membrane service matters because it will broker credentials and proxy API requests on your behalf. If you are uncomfortable with that trust, do not install or authenticate.

Like a lobster shell, security has layers — review code before you run it.

latestvk973mwma9mepnw7z75r6reras18495zh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments