ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pulsetic

v1.0.2

Pulsetic integration. Manage Leads, Persons, Organizations, Deals, Projects, Pipelines and more. Use when the user wants to interact with Pulsetic data.

0· 48·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill metadata/short description claims CRM-style capabilities (Leads, Persons, Organizations, Deals, Projects, Pipelines), but the SKILL.md describes Pulsetic as a website/API monitoring tool and points to Membrane as the integration layer. Homepage is getmembrane.com and SKILL.md references membrane CLI and pulsetic.com/docs. This mismatch between stated purpose and actual instructions is incoherent and should be clarified with the publisher.
Instruction Scope
SKILL.md instructs the agent/user to install and use the Membrane CLI, run membrane login/connect/action/request commands, and use Membrane's proxy for Pulsetic API calls. The instructions do not ask the agent to read unrelated files or environment variables and explicitly advise against collecting user API keys. The only notable scope element is that using Membrane means API requests and credentials are handled server-side by Membrane (privacy implication).
Install Mechanism
This is an instruction-only skill (no install spec). It tells the user to run 'npm install -g @membranehq/cli' (a public npm package). Global npm installs are a moderate-risk surface (trusted public package but runs code on your machine). The SKILL.md also uses 'npx @membranehq/cli@latest' in examples, which is a lower-friction alternative.
Credentials
No environment variables, files, or credentials are requested by the skill. The SKILL.md deliberately delegates auth to Membrane and explicitly says 'never ask the user for API keys', which is proportionate to the integration model.
Persistence & Privilege
The skill does not request 'always' presence, does not modify other skills, and is instruction-only. It relies on Membrane for persistent connections/auth, which is expected for this integration pattern.
What to consider before installing
Proceed cautiously. The two red flags are (1) the description/metadata (CRM-style features) does not match the SKILL.md (website monitoring via Membrane); confirm with the publisher which Pulsetic/product this skill targets before use. If you accept the skill: prefer using npx or a pinned package version instead of 'npm -g' to avoid unreviewed global installs; verify the @membranehq/cli package source and version on npm/github; understand that Membrane will proxy API calls and therefore will see the data and manage credentials — only use if you trust Membrane; do not provide local API keys or secrets outside the Membrane connection flow; and test with an account that has limited privileges first. If you need higher assurance, ask the publisher for a clarifying README or the repository commit that produced this SKILL.md.

Like a lobster shell, security has layers — review code before you run it.

latestvk972chyeqnparnmpj67bajhprd84334t

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments