ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Moskit

v1.0.0

Moskit integration. Manage Organizations, Activities, Notes, Files, Pipelines, Users and more. Use when the user wants to interact with Moskit data.

0· 173·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The skill's runtime instructions clearly describe using Membrane to interact with Moskit (actions, proxy requests, connections), which aligns with the stated purpose of interacting with Moskit data. Minor inconsistency: the SKILL.md describes Moskit as a 'session replay and product analytics tool' while the skill metadata describes CRM-like entities (Organizations, Activities, Notes, Pipelines). This looks like a documentation mismatch rather than a functional inconsistency.
Instruction Scope
All runtime instructions are limited to installing/using the Membrane CLI, creating connections, listing/running actions, and proxying requests via Membrane. The SKILL.md does not instruct reading arbitrary local files or environment variables, nor does it direct data to unexpected external endpoints beyond Membrane/Moskit.
Install Mechanism
There is no platform install spec (instruction-only), but the doc instructs users to run `npm install -g @membranehq/cli`. Installing a global npm package is a common but higher-risk action than 'no install' because third-party npm packages execute code on install and require privilege. The instruction is proportionate for using Membrane, but users should vet the package and its source before running a global install.
Credentials
The skill declares no required environment variables or credentials and explicitly instructs to use Membrane's browser-based login/connection flow so credentials are handled server-side. This is proportionate to the described functionality.
Persistence & Privilege
The skill is not always-enabled and does not request persistent system privileges or modify other skills/configuration. It is user-invocable and allows normal autonomous invocation, which is the platform default.
Assessment
This skill is instruction-only and uses the Membrane CLI to access Moskit data, which is consistent with its purpose. Before installing or running anything: 1) Verify the @membranehq/cli npm package and its publisher (npm packages run code at install time and global installs require elevated rights). 2) Confirm which 'Moskit' product this is meant for (docs in the SKILL.md and the metadata differ slightly). 3) Understand that using 'membrane request' or custom actions can access any data available to the connected Moskit account — only connect accounts you trust and review permissions during the browser login. 4) Avoid running global installs on sensitive production machines; consider using a container or a local node environment for vetting.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fm1wapm14697t3t5w558gtn82vvdh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments