ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pobuca Connect

v1.0.2

Pobuca Connect integration. Manage Organizations, Leads, Deals, Projects, Pipelines, Users and more. Use when the user wants to interact with Pobuca Connect...

0· 92·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md clearly targets Pobuca Connect via the Membrane CLI and the requested capabilities (connections, actions, proxy requests) match that purpose. However, the skill metadata declares no required binaries even though the instructions require installing and using the @membranehq/cli; the missing declared dependency is an inconsistency.
Instruction Scope
Instructions stay within the stated scope: they describe logging into Membrane, creating connections, listing/running actions, and proxying requests to the Pobuca Connect API. The instructions do not ask the agent to read arbitrary local files or unrelated environment variables.
Install Mechanism
There is no formal install spec in the registry (instruction-only), but SKILL.md tells users to run `npm install -g @membranehq/cli`. Using a public npm package is traceable and common, but the skill should have declared this requirement. Installing a global CLI has typical supply-chain risk — review the npm package and its source (GitHub) before installing.
Credentials
The skill does not request environment variables, secrets, or config paths. The SKILL.md explicitly advises against asking users for API keys and says Membrane manages auth server-side, which is consistent and proportionate.
Persistence & Privilege
The skill is user-invocable and not always-enabled. It does not request elevated or persistent system privileges in its metadata or instructions, and it does not attempt to modify other skills or global agent settings.
What to consider before installing
This skill is mostly coherent but you should: (1) verify and inspect the @membranehq/cli package on npm/GitHub before installing (global npm installs have supply-chain risk); (2) confirm you trust Membrane (getmembrane.com) and understand what access a Membrane connection grants to Pobuca Connect data; (3) be aware the skill instructs you to complete browser-based auth flows (or paste codes in headless environments); and (4) ask the skill author/maintainer to update the registry metadata to declare the Membrane CLI as a required binary or provide an explicit install spec so the dependency is not hidden. If you cannot validate the CLI/package or do not want to install a global CLI, do not install or run this skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk979f7fdrmn8qc8ykve53z8jw58437gw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments