ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Phoneburner

v1.0.2

PhoneBurner integration. Manage Persons, Users, Groups, Emails, Dispositions, Tags. Use when the user wants to interact with PhoneBurner data.

0· 117·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (PhoneBurner integration) match the instructions: all actions are performed via the Membrane CLI or its proxy. There are no unrelated environment variables, binaries, or config paths requested.
Instruction Scope
SKILL.md is instruction-only and stays on task: it tells the agent to install and use @membranehq/cli, perform browser-based login, create a connector, run actions, or proxy raw API requests through Membrane. It explicitly warns not to ask users for API keys. Note that proxying requests means data is sent to Membrane's service.
Install Mechanism
No install spec in the package, but the runtime instructions tell the user to run `npm install -g @membranehq/cli` (public npm package). This is a common pattern but involves installing a global CLI (requires elevated npm permissions on some systems) and trusting the upstream npm package.
Credentials
The skill declares no required env vars or credentials. All auth is delegated to Membrane (browser login and connector flow), which is proportionate for a connector-style integration.
Persistence & Privilege
Skill is instruction-only, no always:true, and does not request persistent system-wide privileges or modify other skills. Autonomous invocation is allowed (default) but not combined with other concerning flags.
Assessment
This skill is coherent: it tells the agent to use the Membrane CLI to authenticate and proxy PhoneBurner requests. Before installing, consider: (1) you will need to install a global npm package (@membranehq/cli) — review that package and its version; (2) Membrane will handle credentials and proxy API calls, so you must trust Membrane with access to your PhoneBurner data; (3) prefer completing authentication via the documented browser flow and avoid pasting secrets into chat; (4) if you need a higher assurance, review Membrane's privacy/security docs and the CLI source code in the referenced repository before proceeding.

Like a lobster shell, security has layers — review code before you run it.

latestvk975ec73x7ykcc7vtwed6xzkr984270p

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments