ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Niftykit

v1.0.2

NiftyKit integration. Manage Organizations, Users. Use when the user wants to interact with NiftyKit data.

0· 118·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (NiftyKit integration) match the instructions: all actions are performed via the Membrane CLI or Membrane proxy to the NiftyKit API. Required resources (network, Membrane account, Membrane CLI) are expected for this purpose.
Instruction Scope
SKILL.md only instructs installing and using the Membrane CLI (login, connect, action list/run, proxy requests). It does not direct the agent to read unrelated files, exfiltrate arbitrary data, or access unrelated environment variables.
Install Mechanism
Skill is instruction-only (no install spec). It tells the user to run `npm install -g @membranehq/cli` (or npx). Installing a global/npm CLI executes third-party code on the host — this is expected for the stated workflow but worth verifying the npm package and its provenance before installing.
Credentials
No environment variables, credentials, or config paths are requested by the skill. The guidance explicitly delegates auth to Membrane (no local API keys), which is proportionate to the stated integration.
Persistence & Privilege
Skill does not request persistent presence (always: false) and is user-invocable. It allows normal autonomous invocation (disable-model-invocation: false) which is platform default; this combination is expected and not excessive by itself.
Assessment
This skill is coherent and appears to do what it says: it uses the Membrane CLI to connect to NiftyKit and does not request extra credentials. Before installing/using it: (1) verify the @membranehq/cli package and its repository (npm/github) to confirm you trust the publisher; (2) review the OAuth/connection permissions when you authenticate in the browser (the connection grants Membrane access to your NiftyKit account); (3) avoid installing global npm packages on sensitive, production, or high-privilege hosts without auditing them; and (4) remember autonomous agent invocation is allowed by default — if you do not want the agent to call this skill without prompting, disable model invocation for the skill in your agent settings.

Like a lobster shell, security has layers — review code before you run it.

latestvk971cc8dpvct702dtgwg1kwkgs843g8g

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments