ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pci Booking

v1.0.0

PCI Booking integration. Manage data, records, and automate workflows. Use when the user wants to interact with PCI Booking data.

0· 22·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (PCI Booking integration) align with the instructions: all operations are performed via the Membrane CLI and Membrane connections to PCI Booking. There are no unrelated credentials, binaries, or paths requested that would be disproportionate to this purpose.
Instruction Scope
SKILL.md instructs use of the Membrane CLI for login, creating connections, running actions, and proxying arbitrary PCI Booking endpoints. This stays within the skill's stated purpose, but proxying allows full API access (including sensitive payment-card data) so callers must ensure the connection has appropriate permissions and auditing.
Install Mechanism
No formal install spec in registry (instruction-only). The README tells users to install @membranehq/cli via npm -g (and sometimes uses npx). Installing a global npm package is a reasonable way to get the CLI but does execute third-party code from npm; consider using npx or verifying the package source and version before installing.
Credentials
The skill requests no environment variables or secrets and explicitly instructs not to ask users for API keys, relying on Membrane's browser-based auth and server-side credential handling. This is proportionate to the described functionality.
Persistence & Privilege
The skill is instruction-only, has always:false, and does not request persistent system-wide privileges or modify other skills’ configurations. Autonomous invocation is allowed by default (normal) but not elevated.
Assessment
This skill appears coherent: it delegates auth and API access to the Membrane service and instructs you to use the Membrane CLI rather than asking for raw API keys. Before installing/using it, verify you trust Membrane (https://getmembrane.com) and the @membranehq/cli npm package (check the package homepage, publisher, and release history). Prefer npx for one-off use to avoid a global install, and ensure only authorized users can create or use the Membrane connection because the proxy commands can read or modify sensitive PCI payment-card data. Because this is an instruction-only skill with no shipped code, there is nothing in the package to inspect locally — if provenance matters, ask the publisher for a repository or vendor attestation and test in a controlled environment first.

Like a lobster shell, security has layers — review code before you run it.

latestvk975mavqavajg5pwmvh54wmtch8461je

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments