ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Signpath

v1.0.2

SignPath integration. Manage Leads, Persons, Organizations, Deals, Projects, Pipelines and more. Use when the user wants to interact with SignPath data.

0· 90·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill describes a SignPath integration that uses the Membrane CLI — that aligns with the description. Minor inconsistency: registry metadata lists no required binaries, but SKILL.md explicitly instructs installing/running the `membrane` CLI (via `npm install -g @membranehq/cli` / `npx`). This is not malicious but the metadata could better declare the dependency.
Instruction Scope
SKILL.md limits actions to using Membrane to discover actions, run actions, and proxy requests to the SignPath API. It does not instruct reading unrelated files or environment variables, nor does it direct data to unexpected external endpoints beyond Membrane/SignPath.
Install Mechanism
There is no formal install spec in the registry; the user-facing install step is `npm install -g @membranehq/cli` (and examples using `npx`). Installing a public npm CLI is a common pattern but carries the usual moderate risk of pulling code from the public npm registry — verify the package and publisher before installing. Using `npx` avoids a global install.
Credentials
The skill declares no environment variables or credentials to store locally and explicitly recommends letting Membrane manage auth via browser-based login. The required access (a Membrane account and network access) is proportionate to the task of interacting with SignPath.
Persistence & Privilege
The skill is instruction-only, does not request persistent/always-on privileges, and does not modify other skills or system-wide configs. It relies on the user performing a Membrane login flow.
Assessment
This skill is coherent: it uses the Membrane CLI to proxy SignPath API calls and does not ask for raw API keys. Before installing: (1) confirm you trust the @membranehq/cli npm package and its publisher (review the npm page and GitHub repo), (2) prefer using `npx` if you want to avoid a global install, (3) be aware the workflow opens a browser for authentication and will grant Membrane access to your SignPath data — only proceed if you trust Membrane to manage those credentials. If you need more assurance, inspect the Membrane CLI repo and the npm package contents before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c31t58tcyj15egzf0zywxqd842hyn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments