ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Soax

v1.0.2

Soax integration. Manage Persons, Organizations, Deals, Leads, Projects, Activities and more. Use when the user wants to interact with Soax data.

0· 109·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The SKILL.md describes a Soax proxy integration (makes sense). However the skill's short description (at the registry level) mentions 'Manage Persons, Organizations, Deals, Leads, Projects, Activities' — CRM concepts unrelated to Soax. This mismatch suggests a copy-paste or metadata error and could mislead users about the skill's true purpose.
Instruction Scope
The instructions are focused: install Membrane CLI, authenticate via browser, create a Membrane connection to Soax, run pre-built actions or proxy raw API calls through Membrane. The instructions do not ask to read arbitrary local files or environment variables. Note: the CLI/login flow will create and store auth tokens (local and/or server-side) and Membrane will act on the user's behalf when proxying requests.
Install Mechanism
There is no automated install spec in the skill bundle, but SKILL.md asks users to run 'npm install -g @membranehq/cli' (a global npm install). Global npm installs can execute arbitrary postinstall scripts and affect system-wide PATH; elsewhere the doc also suggests using 'npx' for one-off commands. Recommend verifying the package source and prefer npx or reviewing the CLI repo before globally installing.
Credentials
The skill declares no required environment variables or credentials. The workflow intentionally avoids asking for Soax API keys by delegating auth to Membrane. Users should understand that authorizing a Membrane connection grants Membrane access to the Soax account on the user's behalf — this is expected but important to consider from a trust/privacy perspective.
Persistence & Privilege
The skill does not request 'always: true' and does not attempt to modify other skills or system-wide settings. The only persistence is normal: the Membrane CLI and Membrane service will hold connection/auth state after login — standard for a CLI-based OAuth flow.
What to consider before installing
This skill's runtime instructions fairly describe using the Membrane CLI to interact with Soax, but the registry description (mentions Persons/Deals/etc.) is inconsistent and likely a copy-paste error — ask the publisher to clarify. If you proceed: 1) only install @membranehq/cli from the official source (review the npm package and GitHub repo), 2) prefer using 'npx' for one-off use instead of a global npm install if you want to avoid adding a global package, 3) be aware that logging in authorizes Membrane to act on your behalf and that credentials/tokens will be stored (local CLI state and Membrane server-side connections), and 4) if you need stronger assurance, verify the skill's repository and contact the owner before granting access.

Like a lobster shell, security has layers — review code before you run it.

latestvk979w3t5fyrxh7fxwbwcs7vg3h843qj7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments