ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Newsletter

v1.0.2

Newsletter integration. Manage Newsletters. Use when the user wants to interact with Newsletter data.

0· 73·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md describes a Membrane-based Newsletter integration (using the Membrane CLI and proxying to newsletter APIs), which matches the advertised purpose. However the registry metadata declares no required binaries while the instructions explicitly require npm/node and the @membranehq/cli (and use npx). Also the doc references MailerLite dev docs which is a mild inconsistency with the generic 'Newsletter' description and the Membrane homepage.
Instruction Scope
Instructions are focused on installing and using the Membrane CLI, creating connections, listing actions, running actions, and proxying API requests — all within the skill's stated purpose. The proxy feature allows arbitrary proxied requests via Membrane, which is expected for an integration but does enable sending arbitrary requests to external APIs (so you must trust Membrane and the connector you create). The instructions do not ask the agent to read unrelated local files or environment variables.
Install Mechanism
The skill is instruction-only (no install spec), but instructs users/agents to run 'npm install -g @membranehq/cli' or use npx. This is a reasonable mechanism for this integration but the registry metadata should have declared the dependency on npm/node or the CLI. Installing global npm packages modifies the system environment and you should review the package on the npm registry before installing.
Credentials
No environment variables or credentials are requested by the skill. The SKILL.md explicitly advises not to ask the user for API keys and to use Membrane connections so credentials are handled server-side; this is proportionate for the described integration.
Persistence & Privilege
The skill does not request always: true and does not declare persistent system-wide modifications. It relies on the Membrane CLI and user-created connections; autonomous invocation is enabled (platform default) but not combined with other high-risk flags.
What to consider before installing
Before installing or using this skill: (1) Verify you trust Membrane (getmembrane.com) because the skill asks you to create connections and Membrane will handle credentials and proxy requests on your behalf. (2) Be aware the SKILL.md requires npm/node and the @membranehq/cli (global install or npx); the registry metadata does not list these binaries — confirm your environment can run those commands. (3) Review the @membranehq/cli package on npm/GitHub yourself before installing (npm install -g runs code on your machine). (4) Note the proxy feature can send arbitrary requests using the connection — only use it with connectors and endpoints you trust. (5) The SKILL.md references MailerLite docs (inconsistent with a generic Newsletter description); if you expect a specific provider, confirm the connector/connection you create targets that provider. If you want lower risk, run the Membrane CLI and test commands manually (outside of an autonomous agent) before granting the skill active use.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fngbph2qgnp3zr79nn9mjdh843n3a

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments