ClawHub

Project Broadcast

v1.0.2

Project Broadcast integration. Manage Persons, Organizations, Lists, Broadcasts, Templates, Numbers and more. Use when the user wants to interact with Projec...

0· 69·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description (Project Broadcast integration) align with the instructions: all actions are performed through the Membrane CLI which proxies requests to Project Broadcast. Requests for a Membrane account and network access are expected.
Instruction Scope
Runtime instructions tell the agent to run npx @membranehq/cli@latest commands (login, connect, action list/run, request proxy). The guide also refers to the locally stored credentials file (~/.membrane/credentials.json) and headless login flows; these are relevant to the integration but mean the agent will rely on local credential storage and user-driven browser authentication.
!
Install Mechanism
There is no install spec, but the SKILL.md relies on npx to fetch and execute @membranehq/cli@latest at runtime. Executing a remote npm package (especially with the @latest tag) is a supply-chain risk and can change behavior over time; this is expected for a CLI-based integration but is higher-risk than a packaged, pinned install.
Credentials
The skill declares no required env vars (consistent). However it relies on a Membrane account and the CLI's credential file (~/.membrane/credentials.json). Those stored credentials are sensitive — the skill doesn't request unrelated secrets, but local token files and browser-auth flows should be considered sensitive.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request persistent platform-level privileges or modify other skills. Autonomous invocation is allowed by default but not a specific additional privilege of this skill.
Assessment
This skill appears to do what it says (use Membrane to talk to Project Broadcast), but be aware of two practical risks: (1) it uses npx @membranehq/cli@latest at runtime which fetches and executes code from the npm registry — consider pinning to a specific version or preinstalling the CLI if you want to reduce supply-chain risk; (2) authentication tokens are stored locally (~/.membrane/credentials.json) and are sensitive — review and protect that file. If you are not comfortable allowing the agent to execute remote CLIs or to use locally stored tokens, avoid installing or require stricter controls (pin CLI version, preinstall the binary, or restrict autonomous invocation). If you trust Membrane and are comfortable with the interactive login flow, the skill is proportionate to its purpose.

Like a lobster shell, security has layers — review code before you run it.

latestvk970zhh0tb01heezb1xpg0zq6x84270d

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments