ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Occasion

v1.0.2

Occasion integration. Manage Events, Venues, Users, Orders, Reports. Use when the user wants to interact with Occasion data.

0· 86·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill is an Occasion integration and its SKILL.md consistently instructs use of the Membrane CLI and Membrane-hosted connections to Occasion. Registry metadata lists no required binaries or env vars, but the runtime instructions explicitly require the @membranehq/cli and network access — an omission in the metadata rather than a functional mismatch.
Instruction Scope
Instructions are scoped to installing and using the Membrane CLI, creating connections, listing actions, running actions, and proxying requests to the Occasion API. They do not instruct reading unrelated files, accessing unrelated credentials, or sending data to unexpected endpoints. The skill explicitly advises against asking users for API keys.
Install Mechanism
There is no install spec in the registry; the SKILL.md tells users to install @membranehq/cli via npm (npm install -g). This is a typical, expected path for a CLI but it does require the user to run a global npm install which writes to disk and modifies the environment; that install step is manual and not automatically performed by the platform.
Credentials
The skill declares no required environment variables or credentials. The documentation relies on Membrane's browser-based login flow and connector model to manage auth server-side, which is proportionate to the stated purpose.
Persistence & Privilege
The skill does not request always:true or elevated persistence and does not instruct modifying other skills or system-wide configs. Autonomous invocation is allowed (platform default) and is not paired with other concerning requests.
Assessment
This skill appears coherent: it uses the Membrane CLI to connect to Occasion and does not ask for direct API keys. Before installing: (1) be willing to install a global npm CLI (@membranehq/cli) and allow network access; (2) understand the Membrane login flow — authentication occurs via browser and credentials are managed by Membrane (so review Membrane's privacy/security and what access the Occasion connector will be granted); (3) confirm you trust getmembrane.com and the connector's permissions for the data you will manage. The registry metadata omission about the required CLI is benign but worth noting.

Like a lobster shell, security has layers — review code before you run it.

latestvk978ahayhx82br18mmv8fbyak98428jh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments