ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Qualiobee

v1.0.0

Qualiobee integration. Manage data, records, and automate workflows. Use when the user wants to interact with Qualiobee data.

0· 42·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's stated purpose (Qualiobee integration) aligns with using Membrane as a broker, but the package metadata lists no required binaries while the SKILL.md clearly requires the `membrane` CLI (installed via `npm install -g @membranehq/cli`). The manifest omission is an incoherence: a runtime dependency is not declared.
Instruction Scope
SKILL.md limits actions to interacting with Qualiobee via Membrane actions and proxy requests, and explicitly recommends not asking users for API keys. However, it documents `membrane request CONNECTION_ID /path/to/endpoint`, which can forward arbitrary requests to external APIs under the given connection. That capability is expected for an integration but can be abused to send/receive arbitrary data if an agent executes unreviewed actions.
Install Mechanism
There is no registry install spec, but the instructions require installing a global npm CLI (`@membranehq/cli`) which is a typical but moderately risky step (npm packages run arbitrary code during install and global installs modify the system PATH). The manifest should have declared this required binary and installation impact.
Credentials
The skill requests no environment variables or credentials in the manifest and instructs to rely on Membrane for auth, which is proportionate. However, because the SKILL.md relies on a server-side broker for credentials, users should understand that authentication and subsequent API calls are performed by Membrane's infrastructure rather than locally.
Persistence & Privilege
The skill is not force-enabled (always:false) and is user-invocable, which is normal. Installing the suggested CLI (`npm -g`) will add a persistent global binary — an effect not declared in the manifest — so the skill does introduce a persistent system component if the user follows the instructions.
What to consider before installing
Before installing or using this skill: (1) be aware the SKILL.md requires installing and running the Membrane CLI (global npm install) even though the manifest lists no required binaries — verify you accept installing that tool. (2) Review the @membranehq/cli package and publisher (GitHub repo, npm page) and, if possible, audit the CLI or run it in a sandbox. (3) Understand that Membrane will perform authentication and can proxy arbitrary API calls for a connection — avoid running untrusted or opaque actions that could send sensitive local data to external endpoints. (4) Prefer creating test connections and exercising actions on non-production data first. (5) Ask the skill author (or the registry) to correct the manifest to declare the `membrane` binary/installation requirement and to document any minimum permissions or data flows.

Like a lobster shell, security has layers — review code before you run it.

latestvk977h2wetdv0yf78z12vq0v84n84d4tr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments