ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pandadoc

v1.0.0

PandaDoc integration. Manage data, records, and automate workflows. Use when the user wants to interact with PandaDoc data.

0· 41·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name and description (PandaDoc integration) match the instructions: all runtime actions are performed via the Membrane CLI which is a plausible, proportionate way to integrate with PandaDoc. There are no unrelated env vars, binaries, or config paths requested.
Instruction Scope
SKILL.md confines runtime behavior to installing/using the Membrane CLI, creating a connector, listing actions, running actions, and optionally proxying requests to the PandaDoc API via the connector. It does not instruct reading arbitrary local files, harvesting unrelated environment variables, or transmitting data to unexpected third-party endpoints.
Install Mechanism
The registry has no formal install spec (instruction-only), but SKILL.md tells the user to install the Membrane CLI with 'npm install -g @membranehq/cli' (and suggests using npx in other examples). This is a normal approach but does require installing a global npm package and Node/npm on the host; the registry itself will not perform the install.
Credentials
The skill requests no environment variables or credentials from the agent. Auth is handled through Membrane's connector flow (browser login or headless code), which is consistent with the described purpose. There are no unexplained secret requests.
Persistence & Privilege
always is false and the skill is user-invocable. It does not request permanent inclusion or attempt to modify other skills or global agent configuration. Autonomous invocation is allowed (platform default) but not combined with any additional privileged flags.
Assessment
This skill is instruction-only and uses the Membrane CLI to access PandaDoc — installing the CLI (npm -g) will write software to your system and requires Node/npm. Before proceeding: confirm you trust Membrane (getmembrane.com), be aware that creating a connection grants Membrane (and any agent using this skill) the ability to call your PandaDoc API on your behalf, and connect only accounts with appropriate permissions. The SKILL.md explicitly instructs not to ask users for API keys (auth is via a browser login/connector), which is good practice. If you prefer not to install global npm packages or to give an agent access to your PandaDoc account, do not enable this skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk978cxzz3nfwxkpzmyxs1ad80n84dece

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments