ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Removebg

v1.0.2

Remove.bg integration. Manage Images. Use when the user wants to interact with Remove.bg data.

0· 70·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill name/description and SKILL.md consistently describe a Remove.bg integration mediated by the Membrane CLI. However, the registry metadata lists no required binaries or environment/config requirements while the SKILL.md explicitly requires network access and the Membrane CLI (and a Membrane account). The missing declaration of the CLI/account is an incoherence between claims and requirements.
Instruction Scope
Instructions are focused on using the Membrane CLI to authenticate, create a connector to Remove.bg, list/run actions, and proxy arbitrary Remove.bg API requests. They do not instruct reading unrelated files, asking for unrelated credentials, or exfiltrating data; scope is limited to the described integration.
Install Mechanism
There is no machine-enforced install spec in the registry (the skill is instruction-only), but SKILL.md tells users to run 'npm install -g @membranehq/cli'. Recommending a global npm package is a moderate-risk action (third-party code executed on host). The registry should have declared the required binary to make this explicit.
Credentials
The skill declares no required environment variables or credentials and instructs you to use Membrane-managed connections rather than asking for API keys. That is proportionate: auth is handled server-side by Membrane, so local secrets are not required by the skill itself.
Persistence & Privilege
The skill does not request always: true, does not modify other skills, and has no install spec that writes persistent files as part of the skill bundle. Normal autonomous invocation is allowed (platform default).
What to consider before installing
This skill appears to do what it says (use Remove.bg via Membrane) but the registry metadata omitted that the Membrane CLI and network/Membrane account are required. Before installing or running commands: 1) Verify the @membranehq/cli npm package and the Membrane project (homepage/repo) are legitimate and trustworthy; 2) Be aware you'll be asked to run 'membrane login' which opens a browser and grants Membrane access to connectors — review what Membrane will access; 3) Prefer installing the CLI in a controlled environment (not on a critical production host) or inspect the package first; 4) Confirm you are comfortable with proxying requests through Membrane (it will handle auth and see proxied content). If you need stronger assurance, ask the publisher to update the registry metadata to declare the required binary and network/account requirements explicitly.

Like a lobster shell, security has layers — review code before you run it.

latestvk978yeahg153rn43cazv16fjhn842p6w

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments