ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Resci Retention Science

v1.0.0

Retention Science integration. Manage data, records, and automate workflows. Use when the user wants to interact with Retention Science data.

0· 26·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (Retention Science integration) matches the runtime instructions which use the Membrane CLI to discover connectors, create connections, run actions, and proxy API requests. Requiring network access and a Membrane account is expected for this purpose; there are no unrelated credentials, binaries, or config paths requested.
Instruction Scope
All instructions are limited to installing/using the Membrane CLI, creating Membrane connections, listing actions, running actions, and proxying requests through Membrane. The SKILL.md does not instruct reading local files or environment variables outside of the normal CLI login flow. It does instruct opening a browser or completing a headless login, which is expected for interactive auth.
Install Mechanism
This is an instruction-only skill (no install spec). It recommends installing the Membrane CLI via npm (npm install -g @membranehq/cli) or using npx. Installing an npm package globally executes third-party code on the machine — a normal choice for a CLI but it carries the usual risk of running external packages. The guidance to use npx@latest mitigates global install concerns.
Credentials
No environment variables, secrets, or local config paths are required. The SKILL.md explicitly advises against asking users for API keys and relies on Membrane's server-side auth handling, which is proportionate to the stated function.
Persistence & Privilege
always is false and the skill is user-invocable with normal autonomous invocation allowed. It does not request permanent system presence or modify other skills' configs. This level of persistence is standard and appropriate for an integration skill.
Assessment
This skill appears to do what it claims: use the Membrane CLI to interact with Retention Science. Before installing/use: (1) Confirm you trust the Membrane service (getmembrane.com) and are comfortable giving it access to your Retention Science data, since Membrane will hold/refresh credentials and proxy requests. (2) Prefer using npx to avoid a global npm install, or review the @membranehq/cli package and its publisher on npm/GitHub first. (3) Be aware the CLI login opens a browser or requires a completion code — do not paste credentials into untrusted prompts. (4) If you need strict data governance, verify Membrane’s privacy/security policies and audit the connector actions you run so they don't perform unexpected operations. If you want greater assurance, provide the skill’s repository/package URL and a checksum so you (or an auditor) can verify the exact CLI being installed.

Like a lobster shell, security has layers — review code before you run it.

latestvk979jxtgdg5v7s74hmn19cwd6h846360

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments