Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Openlayer
v1.0.0Openlayer integration. Manage data, records, and automate workflows. Use when the user wants to interact with Openlayer data.
⭐ 0· 51·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to integrate with "Openlayer" and links to the OpenLayers JS library (openlayers.org), but the instructions treat Openlayer as a remote service accessed via a Membrane connector that requires authentication. That mismatch (client-side library vs. connector/service) is unexplained and may indicate the SKILL.md is a generic template or mislabelled.
Instruction Scope
All runtime instructions are limited to installing and using the Membrane CLI, authenticating with Membrane, listing/creating connections, discovering and running actions, and using Membrane's proxy. The instructions do not ask the agent to read unrelated files, collect host secrets, or transmit local data elsewhere.
Install Mechanism
There is no registry install spec; the SKILL.md instructs the user to run `npm install -g @membranehq/cli`. Installing a global npm package is a normal step for CLI tooling but carries typical risks (npm install scripts, supply-chain trust). The skill itself doesn't auto-install anything, but it directs users to add a third-party CLI.
Credentials
The skill declares no required environment variables, no credentials, and no config paths. It relies on Membrane to manage credentials server-side and instructs users not to provide API keys locally — this is proportionate to the stated workflow.
Persistence & Privilege
The skill does not request always:true or other elevated presence. It is user-invocable and allows autonomous invocation by default (normal platform behavior). There is no instruction to modify other skills or system-wide configs.
What to consider before installing
What to consider before installing/using this skill:
- The SKILL.md is an instruction-only integration that depends on the Membrane platform and its CLI (@membranehq/cli). If you don't already trust Membrane, review their privacy, data-handling, and security docs before installing.
- The README appears to confuse OpenLayers (a client-side mapping library) with a remotely hosted service/connector — verify what the "Openlayer" connector actually connects to inside Membrane before granting access or creating a connection.
- Installing the CLI uses `npm install -g`, which executes code from the npm package. If you proceed, inspect the package (version, publisher, repository, and install scripts) or run the CLI in a sandbox/container first.
- Membrane's proxy and connection model means that once you authenticate a connector, the CLI/agent can make arbitrary proxied requests to the connected service on your behalf. Ensure you understand what accounts and scopes the connector will access and limit permissions where possible.
- If you need stronger assurance: (1) verify the connector id and what endpoints it accesses; (2) test actions in a minimal/non-production account; (3) examine the @membranehq/cli source and its auth flows; (4) avoid providing local API keys — follow the skill's advice to let Membrane manage auth but confirm where credentials are stored/managed.
Because of the naming/description mismatch and the requirement to trust an external CLI and platform, proceed carefully and validate the connector details before use.Like a lobster shell, security has layers — review code before you run it.
latestvk972sccsjgv7mfpg1wwv8jqpnx844bfx
License
MIT-0
Free to use, modify, and redistribute. No attribution required.