ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Nuapay

v1.0.0

Nuapay integration. Manage data, records, and automate workflows. Use when the user wants to interact with Nuapay data.

0· 51·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md clearly instructs using the Membrane CLI (npm install -g @membranehq/cli) and a Membrane account to access Nuapay, but the registry metadata lists no required binaries, env vars, or primary credential. The behavior requested (installing and using a third‑party CLI) is consistent with the skill's stated purpose, however the metadata omission is an incoherence that should be corrected or explained.
Instruction Scope
The runtime instructions remain within the stated purpose: discover Membrane connector, create a connection (browser-based auth), run actions or proxied requests to the Nuapay API. The instructions do not ask the agent to read unrelated files, exfiltrate data to alternate endpoints, or access unrelated credentials.
Install Mechanism
There is no formal install spec in the registry, but SKILL.md directs the user/agent to run a global npm install (and sometimes npx). Installing @membranehq/cli from npm is a reasonable way to obtain the CLI, but global npm installs execute third‑party code and modify the environment; the absence of an install declaration in the skill metadata is an inconsistency and a modest risk vector (supply‑chain / trust in npm package publisher).
Credentials
The skill does not request any environment variables or credentials in metadata. The SKILL.md correctly recommends letting Membrane manage API credentials via browser-based connection flows instead of asking for API keys. No unrelated secrets or excessive env access are requested.
Persistence & Privilege
The skill is instruction-only, does not request permanent 'always' inclusion, and does not modify other skills or system-wide settings. Autonomous model invocation is allowed by default but is not combined with other high-risk factors here.
What to consider before installing
This skill appears to be a legitimate Nuapay integration that uses the Membrane CLI, but the registry metadata omits the CLI installation requirement — treat that as a red flag until clarified. Before installing or using it: 1) Verify the @membranehq/cli npm package and its publisher (review the package page and source repository) so you trust the code you're installing globally. 2) Prefer installing in a controlled environment (container, VM, or non‑privileged user) rather than your main workstation. 3) Confirm you are comfortable with browser-based authentication to Membrane (Membrane will hold tokens/server-side). 4) Ask the publisher to update the skill metadata to declare the required binary and any network/access assumptions. If you need higher assurance, request a signed install spec or a versioned release URL and review the Membrane CLI source before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97757sf5kf7j4qymct5v198k984dk0x

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments