ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Rentcast

v1.0.2

RentCast integration. Manage Properties, Contacts, Leads. Use when the user wants to interact with RentCast data.

0· 120·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md clearly requires the Membrane CLI (invoked via membrane and npx) and implicitly requires npm/node and a browser for login, but the registry metadata declares no required binaries or install spec. That's an incoherence: the skill will not work as advertised without installing additional tooling that the registry didn't list.
Instruction Scope
All runtime instructions stay within the stated purpose: discover actions, run Membrane proxy requests, and manage RentCast data. The skill does not instruct reading unrelated files or exporting secrets; it relies on Membrane to handle authentication.
!
Install Mechanism
There is no formal install spec; instead the README tells users to run `npm install -g @membranehq/cli` or use `npx ...@latest`. Using npx/@latest will fetch and execute remote package code at runtime, which increases risk if you haven't verified package provenance. A missing install spec combined with instructions to run global installs and npx is a moderate installation risk.
Credentials
The skill requests no environment variables or credentials (Membrane handles auth via browser flows), which is proportionate. However, the SKILL.md expects interactive browser-based auth and headless codes—this implicit dependency on user-interactive auth flows and on npm/node is not represented in the metadata.
Persistence & Privilege
The skill does not request persistent always-on presence and uses normal user-invocable/autonomous invocation defaults. It does not request system-wide config modifications in the instructions.
What to consider before installing
This skill appears to do what it claims (use Membrane to interact with RentCast) but exercise caution before installing or running commands. Verify the Membrane CLI package and its publisher (https://getmembrane.com and the official @membranehq npm org / GitHub repo). Prefer installing a pinned, reviewed version instead of running `npx ...@latest`, since npx downloads-and-executes code each time. Be aware global `npm install -g` may require elevated permissions. Confirm the repository/package integrity (checksums, official docs) and that the Membrane project is legitimate before proceeding. If you cannot or do not want to install npm/node or run npx, do not install this skill. If you need higher assurance, request an explicit install spec and declared required binaries in the registry metadata.

Like a lobster shell, security has layers — review code before you run it.

latestvk9754qng38hjkr18qenzeh1v35842f70

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments