ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Osano

v1.0.2

Osano integration. Manage data, records, and automate workflows. Use when the user wants to interact with Osano data.

0· 93·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's purpose (Osano integration) matches the runtime instructions (use Membrane to connect to Osano and run actions). However the skill metadata declares no required binaries or env vars while the SKILL.md requires installing and running the Membrane CLI (npm/node) and a browser-based login, which is an omission/inconsistency.
Instruction Scope
SKILL.md confines actions to using the Membrane CLI (list/connect/run/proxy). It does not instruct reading unrelated files or harvesting local secrets. It does, however, instruct use of 'membrane request' to proxy arbitrary API calls — which will transmit whatever data you pass through Membrane's servers to external endpoints (Osano API).
Install Mechanism
There is no formal install spec in registry metadata, but SKILL.md instructs a global npm install of @membranehq/cli. Installing a global npm package runs code from the npm registry (moderate risk). This is a common but non-trivial action and should be done only if you trust the publisher (@membranehq).
Credentials
The skill does not request any environment variables or credentials and explicitly advises against asking users for API keys (it relies on Membrane for auth). It does require a Membrane account and network access, which are proportionate to the stated purpose.
Persistence & Privilege
The skill isn't always-enabled and doesn't request special persistence or cross-skill configuration. It relies on a CLI the user installs and runs manually.
What to consider before installing
Before installing or using this skill: 1) Note that SKILL.md expects you to install a global npm package (@membranehq/cli) and log in via a browser — this will execute third-party code on your machine and route API calls through Membrane's service. 2) Verify you trust the Membrane publisher and the npm package (check the npm page, GitHub repo, and publisher identity). 3) Be aware that 'membrane request' proxies arbitrary requests and will transmit any data you pass through Membrane; avoid sending sensitive secrets unless you trust the service. 4) The registry metadata omits the requirement for node/npm and a browser; treat that omission as a red flag and confirm prerequisites before proceeding.

Like a lobster shell, security has layers — review code before you run it.

latestvk973seagsx1vp2hq4nvkf18zz9842fck

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments