Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Navigatr
v1.0.0Navigatr integration. Manage data, records, and automate workflows. Use when the user wants to interact with Navigatr data.
⭐ 0· 50·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's stated purpose (Navigatr integration) matches the instructions: it uses the Membrane CLI to manage connections, run actions, and proxy API requests to Navigatr. However, the registry metadata lists no required binaries or install steps while the SKILL.md explicitly instructs installing @membranehq/cli via npm and running the `membrane` command. That mismatch (missing declared dependency on npm/membrane) is an oversight and reduces clarity.
Instruction Scope
Instructions are narrowly scoped to installing and using the Membrane CLI (login, connection list, action list/run, and proxy requests). They do not instruct reading arbitrary local files or unrelated credentials. They do, however, direct the agent/user to send requests through Membrane's proxy — which will transmit request data and use Membrane-managed credentials to Membrane's servers. That behavior is expected for this integration but is material from a privacy/security perspective and should be understood before use.
Install Mechanism
This is an instruction-only skill (no install spec), but it tells users to run `npm install -g @membranehq/cli` (or use npx). Installing an npm package globally writes code to disk and runs a third-party package from the npm registry — a standard but nontrivial install step. The skill did not declare 'npm' or the membrane CLI as required binaries in metadata, which is an inconsistency. The install mechanism (public npm package) is common and not inherently malicious, but you should verify the package/organization (membranehq) and trustworthiness of getmembrane.com/github repo before installing.
Credentials
The skill declares no required environment variables and the SKILL.md explicitly advises not to ask users for API keys, instead creating connections so Membrane handles auth server-side. This is proportionate: no local secrets are requested. Note that credentials will be stored/managed by Membrane (external service), so you are delegating credential custody to that service.
Persistence & Privilege
The skill does not request permanent 'always' inclusion, does not include an install spec that writes configuration outside its own scope, and does not ask to modify other skills or system-wide settings. Autonomous invocation is allowed by platform default but is not combined with other elevated privileges here.
What to consider before installing
Before installing: 1) Understand that this skill relies on the Membrane CLI (npm package @membranehq/cli). Installing it will add code to your system and requires npm or using npx. 2) Membrane acts as a proxy and will see requests and hold credentials for Navigatr — verify you trust Membrane (check getmembrane.com and the GitHub repo/organization) and confirm the scope of permissions the connector requests during authentication. 3) The skill metadata did not list required binaries (npm/membrane) — expect to provide them. 4) If you handle sensitive data, consider testing in a restricted environment or reviewing Membrane's privacy/security docs first. 5) If anything about the connector IDs/actions is unclear, ask the skill author for justification of why Membrane is needed and whether direct API usage is possible. If you want, provide me the link to the npm package or repo and I can point out any red flags in those artifacts.Like a lobster shell, security has layers — review code before you run it.
latestvk9704ca2303ayzf9r80ycyt3zs8492c1
License
MIT-0
Free to use, modify, and redistribute. No attribution required.