ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Oysterhr

v1.0.2

OysterHR integration. Manage data, records, and automate workflows. Use when the user wants to interact with OysterHR data.

0· 83·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, and SKILL.md content consistently describe an OysterHR integration and list expected HR entities. However, an integration that calls OysterHR APIs normally requires API credentials or an auth flow; the skill does not declare any required env vars or a primary credential, which is surprising and should be explained.
Instruction Scope
SKILL.md (the runtime instructions) is instruction-only and appears to enumerate OysterHR resources and behaviors. The provided excerpt does not instruct the agent to read local files, access unrelated system paths, or exfiltrate data to unexpected endpoints — the scope appears to stay on interacting with OysterHR data via network calls.
Install Mechanism
No install spec and no code files — lowest-risk delivery model. Nothing is written to disk by the skill itself.
Credentials
The skill states it requires network access and a Membrane account but declares no required environment variables or primary credential. For an API integration this is incomplete: expect to need OysterHR API keys or OAuth tokens (not declared). Clarify where and how credentials are provided and what scopes are required.
Persistence & Privilege
always:false and default model-invocation are set. The skill does not request persistent system privileges, nor does it modify other skills or global config in the provided materials.
What to consider before installing
This is an instruction-only OysterHR integration (no code to install), but it does not declare how it will authenticate to OysterHR. Before installing, ask the publisher: 1) exactly how authentication is handled — does it require you to paste an OysterHR API key, use OAuth, or rely on a Membrane-provided token? 2) what minimum API scopes are required and whether you can use a restricted service account (not a full admin key). 3) whether the skill sends any data to endpoints other than OysterHR or the Membrane platform. If you must provide credentials, prefer short-lived or least-privilege tokens and test in a sandbox account with non-production data first. If the publisher cannot explain the auth flow or required scopes, treat the skill as higher risk and avoid installing it for production HR data.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c7dr82mq4xfyee3zp5xy0rs842svd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments