ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Procore

v1.0.2

Procore integration. Manage Projects, Users, Roles, Organizations. Use when the user wants to interact with Procore data.

0· 53·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name and description match the SKILL.md's stated purpose (Procore integration and mapping of many Procore resources). That aligns with the skill's apparent capabilities. However the SKILL.md notes a dependency on a 'valid Membrane account' but the skill metadata does not declare any required credentials or environment variables for Procore or Membrane, which is inconsistent.
!
Instruction Scope
This is an instruction-only skill that requires network access and a Membrane account per the header. The provided fragment lists many Procore resource types and likely instructs the agent how to call APIs. The SKILL.md is vague about where API keys or OAuth tokens come from and how they should be provided; instruction-only skills that ask users to paste credentials into chat or that grant the agent wide discretion to gather 'whatever context is needed' are risky. Because the full instructions are not explicitly declaring credential handling, there is a risk the agent will prompt for or transmit secrets inappropriately.
Install Mechanism
No install spec and no code files — nothing is downloaded or written to disk. This is the lowest-risk install mechanism (instruction-only).
!
Credentials
No required environment variables, no primary credential, and no config paths are declared, yet the SKILL.md explicitly states it requires a Membrane account and network access. A Procore integration normally requires API credentials (API key, OAuth client) which should be declared or documented. The absence of declared credentials is disproportionate and ambiguous about how secrets will be supplied or stored.
Persistence & Privilege
The skill is not set to always: true and is user-invocable. It does not request elevated system persistence or to modify other skills. Autonomous invocation is allowed by default (disable-model-invocation: false), which is normal — no extra privilege flags are present.
What to consider before installing
This skill is instruction-only and needs network access. Before installing or using it: (1) Inspect the full SKILL.md to confirm exactly how it asks for Procore and Membrane credentials — prefer OAuth flows or server-side tokens rather than pasting secrets into chat. (2) Verify the skill's source/trustworthiness (check the referenced GitHub repo and the publisher). (3) If the skill requires API keys or tokens, only provision least-privilege credentials and be prepared to revoke them after testing. (4) Avoid pasting sensitive credentials directly into chat; if unsure, decline and ask the maintainer to document a secure auth flow. (5) Consider using the skill in a restricted/testing account first.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fmkjkqgmn9p1p40eb3jf4e5842sp3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments