ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Preflight

v1.0.0

PreFlight integration. Manage data, records, and automate workflows. Use when the user wants to interact with PreFlight data.

0· 36·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (PreFlight integration) aligns with the instructions (use the Membrane CLI to create a connector, list/run actions, and proxy API requests). Asking the user to install @membranehq/cli is coherent with providing a CLI-based integration.
Instruction Scope
Instructions are focused on discovering and running PreFlight actions via Membrane. They instruct installing and running the Membrane CLI, performing browser-based login, creating connections, listing actions, running actions, and proxying API requests through Membrane. One important operational detail: proxying sends requests through Membrane servers (and thus transmits the request/response to Membrane) — this is expected for this integration but relevant for privacy/security considerations.
Install Mechanism
There is no formal install spec in the registry; the SKILL.md tells users to install the CLI via npm (npm install -g @membranehq/cli). Installing a global npm package is a standard approach for CLIs but carries the usual tradeoffs of global package installation (writes to disk, may require elevated privileges on some systems). The package is available from the public npm registry (moderate risk compared to a hosted binary download).
Credentials
The skill requests no environment variables or credentials and explicitly instructs not to ask users for API keys, relying on Membrane's connection flow. This is proportionate to the stated purpose. Note: relying on Membrane means authentication and API requests transit Membrane's service — users should accept that Membrane will handle credentials server-side and see proxied traffic.
Persistence & Privilege
The skill is not marked always:true and does not request persistent system privileges or modify other skills. The default ability for the agent to invoke the skill autonomously is unchanged (normal).
Assessment
This skill appears coherent: it directs you to install and use the official Membrane CLI to connect to PreFlight and does not request local secrets. Before installing, consider: 1) You will install a global npm package (@membranehq/cli); verify the package name and publisher on npm and prefer non-global or containerized installs if you want less system impact. 2) Authentication and API calls are proxied through Membrane — sensitive request/response data will transit Membrane's service, so review their privacy/security posture and terms. 3) The skill makes the agent run CLI commands (including opening browser auth flows); ensure you trust the Membrane provider before granting access. If you need higher assurance, review the @membranehq/cli package source/release and the PreFlight/Membrane documentation before use.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dejtp81s2xzn0yyr7p6n7p184g299

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments