ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Nasdaq Data Link

v1.0.2

Nasdaq Data Link integration. Manage Datasets. Use when the user wants to interact with Nasdaq Data Link data.

0· 70·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill is described as a Nasdaq Data Link integration and all runtime instructions use the Membrane CLI to interact with Nasdaq Data Link — this is coherent. Minor inconsistency: the skill metadata lists no required binaries, but SKILL.md explicitly instructs installing the @membranehq/cli npm package (a CLI binary).
Instruction Scope
Runtime instructions are scoped to installing and using the Membrane CLI (login, create connection, list/run actions, proxy requests). They do not instruct reading arbitrary host files, asking for unrelated credentials, or sending data to unexpected endpoints.
Install Mechanism
There is no formal install spec in the registry; instead SKILL.md instructs running `npm install -g @membranehq/cli`. Installing a global npm package is a common pattern but has moderate risk (npm install runs third-party code and writes to disk). The instruction uses a public npm package (traceable), not an arbitrary download URL.
Credentials
The skill declares no required environment variables or secrets and explicitly advises letting Membrane handle API keys/server-side auth. The level of access requested is proportionate to the stated purpose (requires a Membrane account and network access).
Persistence & Privilege
always:false (normal). Be aware that installing and logging in with the Membrane CLI will create local auth state (and server-side connections) that subsequent CLI commands can use; if an agent invokes the skill autonomously it could run membrane commands against connections the user has created.
Assessment
This skill appears to do what it says: it uses Membrane to access Nasdaq Data Link. Before installing, verify the @membranehq/cli package and publisher on npm/GitHub (to reduce supply-chain risk) and consider installing the CLI in a controlled environment (container or dedicated machine) rather than globally on a critical workstation. Remember that logging in with the CLI will create auth state and any agent-invoked membrane commands can act using that connection — only install and authorize if you trust Membrane and you intend to allow the agent to operate on your Membrane connections. Also note the small metadata inconsistency (the skill lists no required binaries but the docs require the Membrane CLI).

Like a lobster shell, security has layers — review code before you run it.

latestvk97c52vtfvdhte7xe7q1t2pbtd8423v1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments