ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Serply

v1.0.2

Serply integration. Manage Leads, Persons, Organizations, Deals, Projects, Pipelines and more. Use when the user wants to interact with Serply data.

0· 71·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Top-level metadata/description claims CRM-like capabilities (Leads, Persons, Organizations, Deals, Projects, Pipelines), but the SKILL.md describes Serply as an SEO/keyword-ranking tool and shows Serply API usage. This mismatch between claimed purpose and actual integration is confusing and could mislead users about what the skill does.
Instruction Scope
SKILL.md is instruction-only and directs the agent to install and use the Membrane CLI, perform user login, create connections, run pre-built actions, and proxy arbitrary Serply API endpoints via 'membrane request'. Those commands are coherent for a connector-style integration, but the 'proxy requests' capability lets the agent send arbitrary HTTP requests through the user's Membrane connection — expected for API integrations but potentially powerful if misused.
Install Mechanism
There is no install spec in registry metadata, yet SKILL.md instructs installing @membranehq/cli globally via npm. Installing a global npm package is common but not enforced here; this mismatch (no declared install but manual install instructions) is an organizational inconsistency and a small operational risk. The suggested package is from the public npm registry (traceable), not an arbitrary download URL.
Credentials
The skill declares no environment variables or credentials and advises using Membrane connections (no direct API key prompts). This is proportionate: Membrane handles auth server-side and the skill's instructions explicitly say not to ask users for API keys.
Persistence & Privilege
The skill is not always-enabled and does not request elevated persistence. Model invocation is allowed (platform default). There is no instruction to modify other skills or global agent configuration.
What to consider before installing
Key things to consider before installing: 1) Confirm which service you actually want to integrate — the skill's top-line description (CRM features) does not match the SKILL.md (Serply is an SEO/keyword-tracking API). Ask the publisher which is correct. 2) The skill requires installing @membranehq/cli (npm -g) per SKILL.md even though no install is recorded in metadata; review the CLI package on npm/github before installing and consider installing locally (npx) instead of globally. 3) Using the Membrane proxy requires authenticating via your browser; the proxy can send arbitrary HTTP requests on your behalf to the connected service, so only connect accounts you trust and review returned action schemas before running them. 4) The skill does not request ENV secrets (good) — do not share raw API keys manually; prefer creating a Membrane connection as instructed. 5) If you need to proceed, ask the publisher to fix the description mismatch and to provide an explicit install spec in registry metadata for transparency.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c5ffj13n7wd0s2y40y088jd843wdd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments