Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Snapchat Marketing
v1.0.2Snapchat Marketing integration. Manage data, records, and automate workflows. Use when the user wants to interact with Snapchat Marketing data.
⭐ 0· 92·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description claim a Snapchat Marketing integration and the SKILL.md consistently describes using Membrane to access Snapchat's Marketing API — this is coherent. However the manifest declares no required binaries or install steps while the runtime instructions instruct the user to install the Membrane CLI (npm install -g @membranehq/cli) and use npx, so the metadata omits expected requirements (npm/node) and a Membrane account is required but not declared as a primary credential.
Instruction Scope
The SKILL.md stays within the integration scope: it tells the agent how to install and use the Membrane CLI, login, create connections, list actions, run actions, and proxy requests to the Snapchat Marketing API via Membrane. It does not instruct reading local sensitive files or requesting unrelated credentials. Note: the 'membrane request' proxy lets the agent send arbitrary API requests to Snapchat on behalf of connected accounts, which is expected for this integration but means the skill (once authorized) can issue arbitrary API calls within that account's scope.
Install Mechanism
There is no install spec in the registry metadata, but the SKILL.md instructs installing the Membrane CLI from npm (global install) and also suggests npx. That is a practical install mechanism (npm registry) but the manifest should have declared required binaries (npm/node) or an install step. The missing metadata reduces transparency about what will be required on the host. Installing global npm packages is moderate-risk compared to no install.
Credentials
The skill declares no environment variables and explicitly advises not to ask users for API keys, relying on Membrane to manage auth. That is proportionate: a connector-based approach avoids local secrets. There are no unexpected credential requests in the SKILL.md.
Persistence & Privilege
The skill is instruction-only, has no install script in the registry, and does not request always: true or other persistent privileges. It requires a Membrane account and interactive login in a browser, which is normal. Autonomous invocation is allowed (platform default) but not combined with other high-risk flags.
What to consider before installing
This skill appears to be a straightforward Membrane-based Snapchat Marketing integration, but the package metadata is incomplete: the README instructs installing the Membrane CLI via npm (and using npx), yet the manifest lists no required binaries or install steps. Before installing, verify you trust the @membranehq/cli package and the Membrane service (check the npm package page and the vendor website), be prepared to authenticate via a browser (Membrane manages credentials server-side), and understand that once a connection is authorized the CLI/proxy can make arbitrary Snapchat API calls on behalf of that account. If you require stricter transparency, ask the publisher to update the manifest to declare required binaries (node/npm) and an install spec, and to document exactly which scopes/permissions the Snapchat connector requests.Like a lobster shell, security has layers — review code before you run it.
latestvk97an5wb0djkrsqkhpv90t79px8427c7
License
MIT-0
Free to use, modify, and redistribute. No attribution required.