ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Salesmsg

v1.0.2

Salesmsg integration. Manage Persons, Organizations, Conversations, Users, Numbers, Templates and more. Use when the user wants to interact with Salesmsg data.

0· 119·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the instructions: the SKILL.md explains how to use the Membrane CLI to manage Salesmsg resources. There are no unrelated environment variables, binaries, or install steps baked into the skill itself.
Instruction Scope
Runtime instructions are limited to installing/using the Membrane CLI, creating a connection, listing and running actions, and proxying requests to the Salesmsg API via Membrane. The skill does not instruct reading arbitrary local files or unrelated credentials. Note: proxying via Membrane means requests go through a third-party service (Membrane) which will mediate auth and traffic — this is expected for this integration.
Install Mechanism
There is no formal install spec in the registry; the SKILL.md tells users to run `npm install -g @membranehq/cli`. That is a reasonable, common instruction but does require installing a third-party npm package globally — users should verify the package source and trustworthiness before running it.
Credentials
The skill requests no environment variables or local config paths. It does require a Membrane account and a Salesmsg connection (created via browser-based OAuth), which are proportional to the integration's needs. The documentation explicitly advises not to ask users for API keys and to let Membrane manage credentials.
Persistence & Privilege
The skill is not always-enabled and is user-invocable. It does not request system-wide privileges or modify other skills. Autonomous invocation is allowed (platform default) but is not combined with other high-risk factors here.
Assessment
This skill is coherent with its stated purpose, but be aware it relies on the Membrane service and a globally installed @membranehq/cli package. Before installing/running the CLI: (1) verify the npm package and its publisher (review the GitHub repo and package page); (2) understand that Membrane will hold and refresh Salesmsg credentials and will proxy API requests (so Membrane will be able to access your Salesmsg data); (3) avoid installing global packages on sensitive machines if you cannot verify them; and (4) only create connections to accounts you control. If you are comfortable trusting Membrane and the CLI package, the skill is proportionate to its purpose.

Like a lobster shell, security has layers — review code before you run it.

latestvk9731ev0f6kg7qttvfnfnk5cd1843frg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments