ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Noticeable

v1.0.2

Noticeable integration. Manage Organizations. Use when the user wants to interact with Noticeable data.

0· 100·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description claim a Noticeable integration and the instructions consistently use Membrane to connect to Noticeable, which is coherent. However the SKILL.md's "Official docs" URL points to a ServiceNow 'sn_notable' API page (likely unrelated) and the registry metadata does not declare the Membrane CLI as a required binary — both look like copy/paste or manifest-quality issues.
Instruction Scope
Runtime instructions are limited to installing/using the Membrane CLI, logging in via browser, listing/creating connections, running actions, and proxying API calls through Membrane. The instructions do not ask the agent to read local files or unrelated environment variables. The proxy capability allows arbitrary API calls via Membrane, which is expected for this type of integration but worth noting for data flow/privacy.
Install Mechanism
This is an instruction-only skill (no install spec). The SKILL.md tells users to run `npm install -g @membranehq/cli`, a public npm package; that is a normal approach but the package install is not reflected in the skill's declared requirements. Installing global npm packages requires local privileges and you should verify the package and publisher.
Credentials
The skill declares no environment variables or credentials and explicitly delegates auth to Membrane (the user logs in via browser). That is proportional to the stated purpose. Note: using Membrane means authentication and API traffic are handled by Membrane's service, so you are trusting their infrastructure for credential management and data proxying.
Persistence & Privilege
The skill does not request always:true and does not modify agent-wide settings. It is user-invocable and allows normal autonomous invocation — the default behavior — and does not request elevated or persistent platform privileges.
What to consider before installing
This skill appears to be a coherent wrapper for using the Membrane CLI to access Noticeable, but there are small red flags you should check before installing: (1) verify the Membrane CLI package (@membranehq/cli) and its publisher on npm; (2) confirm the skill's homepage/repository (getmembrane.com and the referenced GitHub) match the publisher and are trustworthy; (3) the SKILL.md includes an incorrect "Official docs" link (ServiceNow) — ask the author or check Noticeable's real API docs to ensure the integration targets the service you expect; (4) be aware that using Membrane routes API calls and credentials through their service — if data sensitivity or privacy is a concern, review Membrane's security/privacy policies first; and (5) note the manifest does not declare the Membrane CLI as a required binary even though the instructions require it — this is likely a packaging oversight but worth confirming.

Like a lobster shell, security has layers — review code before you run it.

latestvk972rgx9tqjdchk7xx2gx5jvan842nf4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments