ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Seven

v1.0.2

Seven integration. Manage Organizations, Users, Goals, Filters. Use when the user wants to interact with Seven data.

0· 90·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill's name/description matches the instructions (it uses Membrane to manage Seven data). Minor inconsistency: the SKILL.md's "Official docs" URL points to an unrelated 7-pdf site, which looks like a mistaken link but does not affect functionality.
Instruction Scope
Instructions are limited to installing/using the Membrane CLI, logging in, creating a connection, listing and running Membrane actions, and proxying requests through Membrane. The instructions do not ask the agent to read unrelated files, environment variables, or exfiltrate data to unexpected endpoints.
Install Mechanism
There is no registry install spec (this is instruction-only), but the SKILL.md asks the user to install @membranehq/cli via npm (npm install -g). Installing an npm package is a common, moderate-risk step; the skill itself does not automatically download or install code.
Credentials
The skill declares no required environment variables or credentials and explicitly instructs to rely on Membrane for auth. The requested access (a Membrane account and network access) is proportionate to the stated purpose.
Persistence & Privilege
The skill does not request always:true and makes no changes to other skills or system-wide settings. Autonomous invocation (disable-model-invocation=false) is the platform default and not a concern here by itself.
Assessment
This skill appears to do what it says: it tells you how to use the Membrane CLI to interact with Seven and does not request extra secrets. Before installing or using it, verify you trust the @membranehq/cli package (review its npm page or source) because the CLI will proxy requests and handle authentication. Also note the SKILL.md contains an incorrect "Official docs" link (points to 7-pdf) — confirm the targeted Seven service and documentation if you need to audit API behavior or endpoints.

Like a lobster shell, security has layers — review code before you run it.

latestvk9704nmjbjs8y0e8vv0r2wgtzh842w8q

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments