ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Samsara

v1.0.2

Samsara integration. Manage Drivers, Assets, Locations, Trips, Reports. Use when the user wants to interact with Samsara data.

0· 85·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md clearly requires the @membranehq/cli and a Membrane account to interact with Samsara (including running membrane login and membrane request), but the registry metadata declares no required binaries or credentials. Requiring the Membrane CLI and account is coherent with the described purpose, but the metadata omission is an inconsistency that should be corrected.
Instruction Scope
Instructions stay on-topic (discover actions, run actions, or proxy arbitrary Samsara API calls via Membrane). However, the proxy capability allows arbitrary requests to Samsara through Membrane, which grants broad data access. The SKILL.md tells users to run global npm installs and perform browser-based auth; it does not instruct reading unrelated files or env vars.
Install Mechanism
There is no formal install spec in the registry (instruction-only), but the README instructs a global npm install of @membranehq/cli. That is a normal way to obtain the CLI, but because the registry didn't record this requirement the skill's install expectations are incomplete. Users should verify the npm package and its provenance before running a global install.
Credentials
The skill itself does not request local environment variables or credentials. Instead it relies on Membrane to hold and refresh Samsara credentials server-side. That is proportional to the stated approach, but it implies trusting a third party with your Samsara access tokens.
Persistence & Privilege
The skill is instruction-only, does not request persistent installation privileges, and does not set always:true. It does not modify other skills or claim to change global agent settings.
What to consider before installing
This skill is basically a how-to for using the Membrane CLI to access Samsara. Before installing or following the instructions: (1) be aware you must install @membranehq/cli (global npm install) and have a Membrane account—these are not listed in the registry metadata; (2) Membrane will hold your Samsara credentials and proxy requests, so only use it if you trust that third party and your organization allows storing service tokens with them; (3) verify the npm package and the Membrane service (repository, publisher, and homepage) to avoid a supply-chain risk; (4) prefer using a least-privilege connection in Samsara and review what data the connection can access; and (5) avoid pasting raw API keys into chat—follow the connection flow described instead.

Like a lobster shell, security has layers — review code before you run it.

latestvk97akc35zyxcqe9rngksm5gg39842pf8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments