ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Opencage

v1.0.2

OpenCage integration. Manage Persons, Organizations, Deals, Leads, Projects, Activities and more. Use when the user wants to interact with OpenCage data.

0· 99·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
SKILL.md describes an OpenCage geocoding integration via the Membrane CLI, but the registry-level description ("Manage Persons, Organizations, Deals, Leads, Projects, Activities and more") reads like a CRM connector and does not match the documented purpose. That mismatch could be a metadata error or mislabeling and should be clarified before trusting the skill.
Instruction Scope
The instructions are instruction-only and confined to installing and using the Membrane CLI to create/list connections, list/run actions, and proxy requests to OpenCage. They do not instruct the agent to read local files or request unrelated credentials. Note: the Membrane CLI is a generic gateway — once authenticated it can manage connections and proxy requests, so verify you only create/use the intended OpenCage connection.
Install Mechanism
Install is an npm global package (npm install -g @membranehq/cli). This is a common distribution method but executes third-party code on the host; package provenance and reputation matter. No other install artifacts are present (instruction-only otherwise).
Credentials
The skill declares no required environment variables and the SKILL.md explicitly instructs not to ask users for API keys, relying instead on Membrane-managed auth. The only required credential is a Membrane account login (browser-based). That is proportional to the described functionality.
Persistence & Privilege
The skill is instruction-only with no install spec beyond recommending a CLI. always:false and no special OS or persistent privileges are requested. Autonomous invocation is allowed (platform default) but not, by itself, a red flag here.
What to consider before installing
This skill appears to implement an OpenCage geocoding integration via the Membrane CLI, which is reasonable — but the registry description at the top of the package doesn't match (it looks like CRM-related text). Before installing, verify: 1) the skill owner and the Membrane CLI package (@membranehq/cli) are trusted and come from the expected publisher; 2) you understand that installing the CLI runs third-party code globally; 3) you are comfortable authenticating your Membrane account (the CLI will receive access to your Membrane connections); and 4) once logged in, only create or use the intended OpenCage connection (avoid granting or using broad permissions unless necessary). If the metadata mismatch is unexplained, ask the publisher to correct it or prefer an alternative with consistent metadata and a verifiable repository.

Like a lobster shell, security has layers — review code before you run it.

latestvk9766fxgt0shvew0cjjf9e6t91843z4h

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments