ClawHub

Referralrock

v1.0.2

ReferralRock integration. Manage data, records, and automate workflows. Use when the user wants to interact with ReferralRock data.

0· 112·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description say this is a ReferralRock integration and all instructions revolve around using the Membrane CLI to connect to ReferralRock, discover actions, run actions, or proxy raw API requests. The required capabilities (network access, a Membrane account) are consistent with that purpose.
Instruction Scope
SKILL.md only instructs running the Membrane CLI (install, login, connect, list actions, run actions, proxy requests). It does not tell the agent to read unrelated files, access arbitrary environment variables, or exfiltrate data. It explicitly advises not to ask users for API keys and to let Membrane handle credentials.
Install Mechanism
The skill is instruction-only (no install spec). It recommends installing @membranehq/cli via npm -g and shows npx usage in places. Installing a global npm package modifies the host environment and pulls code from the npm registry; this is common but carries the usual supply-chain risk. Because installation is manual (not automatic), the risk is limited but users should verify the package source and consider using npx to avoid a global install.
Credentials
The skill declares no required env vars or credentials. It uses Membrane to manage auth server-side, so the skill itself doesn't request local secrets. Note: using Membrane means the Membrane service and CLI will hold and use connection credentials on the user's behalf — that is expected but relevant to trust/privacy considerations.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request persistent platform privileges or modify other skills. Autonomous invocation is allowed by default and not a specific red flag here because there are no extra privileges requested.
Assessment
This skill appears coherent, but because it relies on a third-party service and CLI (Membrane), consider the following before installing: 1) Verify the @membranehq/cli package on the npm registry and the referenced GitHub repository (authenticity and maintainer reputation). 2) Prefer using npx or a local install if you want to avoid a global npm -g install. 3) Understand that Membrane will store and use connection credentials and proxy requests to ReferralRock on your behalf — review Membrane's privacy/security documentation and terms. 4) When you run membrane login, a browser-based auth flow will open; ensure you trust the site before completing login. 5) Run initial tests in a controlled environment (non-production account) to confirm the behavior you expect. The skill itself does not request unrelated system files or environment variables, so the primary trust decision is whether you trust the Membrane service/CLI.

Like a lobster shell, security has layers — review code before you run it.

latestvk97425jg0w6h5hcww0q6ntx27n843t8w

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments