ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Morningmate

v1.0.2

Morningmate integration. Manage Users, Organizations. Use when the user wants to interact with Morningmate data.

0· 85·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description and runtime instructions align: the skill is a Membrane-based integration for Morningmate. However the registry metadata lists no required binaries or environment variables while the SKILL.md clearly expects the npm tool and the Membrane CLI (membrane). This mismatch is an implementation/metadata inconsistency that should be corrected.
Instruction Scope
The SKILL.md stays on-topic: it instructs installing the Membrane CLI, logging in, creating connections, listing/running actions, and proxying API requests. It does not instruct reading unrelated files or exfiltrating secrets, and it explicitly advises not to ask users for API keys.
Install Mechanism
There is no automated install spec in the registry; the SKILL.md recommends running `npm install -g @membranehq/cli` (a public npm package). Installing a global npm CLI is a reasonable way to obtain a CLI, but it carries moderate risk (arbitrary code execution at install-time). The instructions do not provide an alternative such as using `npx` or pinning a checked release; consider verifying the package publisher and using non-global invocation if you want to limit exposure.
Credentials
The skill does not request any environment variables or credentials in the registry metadata, which matches the SKILL.md guidance that Membrane handles auth server-side. Note: using Membrane means your Morningmate API traffic and credentials are proxied through Membrane's service — that is expected but important for privacy and trust decisions.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It is user-invocable and allows model invocation (normal). There is no indication it modifies other skills or system-wide agent settings.
What to consider before installing
Before installing: (1) Understand that this skill relies on the Membrane service — your Morningmate traffic and authentication will be proxied through Membrane, so review its privacy/security posture and terms. (2) The SKILL.md expects npm and the `membrane` CLI even though the registry metadata lists no required binaries — verify you can install Node/npm and the @membranehq package from a trusted source. (3) Prefer using `npx @membranehq/cli@latest` or pinning a specific version rather than a global `npm -g` install to reduce install-time risk. (4) When connecting, inspect what permissions the connector requests; avoid approving more access than necessary. (5) If you need higher assurance, verify the @membranehq/cli package source (GitHub repo, maintainer org) and the connector implementation before use.

Like a lobster shell, security has layers — review code before you run it.

latestvk975b1w7ctyxf9t0kc1txn1es1843my0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments