ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Soveren

v1.0.0

Soveren integration. Manage data, records, and automate workflows. Use when the user wants to interact with Soveren data.

0· 44·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description say 'Soveren integration' and the SKILL.md exclusively documents using the Membrane CLI to discover connections, run actions, and manage Soveren data. The required capabilities (network access and a Membrane account) match the stated purpose.
Instruction Scope
All runtime instructions are CLI-based (install the Membrane CLI, run membrane login, find connectors, run actions). The instructions do not request unrelated files, system paths, or extra credentials. Note: the skill tells the user to install a global npm CLI or use npx — this means executing third-party code on the host, which is expected but should be treated as a normal supply-chain consideration.
Install Mechanism
There is no bundled install spec; the SKILL.md instructs installing @membranehq/cli via npm (or using npx). Installing from npm is standard and traceable, but global npm installs run code with the user's privileges (moderate risk). No obscure URLs or archive downloads are used.
Credentials
The skill declares no required environment variables or credentials beyond a Membrane account and normal OAuth via browser. That is proportional for a client that delegates auth to Membrane. It does not request unrelated secrets or config paths.
Persistence & Privilege
The skill does not request always:true and does not claim to modify other skills or system-wide settings. Model invocation is allowed (the platform default) but there are no additional persistent privileges requested.
Assessment
This skill is instruction-only and uses the official Membrane CLI to talk to Soveren, which is coherent with its description. Before installing or running it: prefer using npx (npx @membranehq/cli@latest) or pin a specific CLI version instead of npm -g to avoid unreviewed global package upgrades; review the @membranehq/cli package repo and recent releases on GitHub (https://github.com/membranedev) to confirm maintainers and release integrity; be aware that installing CLI tools runs code with your user permissions—install in a container or sandbox if you want extra isolation; don't share your Membrane account credentials and review the OAuth scopes shown during membrane login. If you need higher assurance, ask the skill publisher for a signed release or a reproducible install procedure.

Like a lobster shell, security has layers — review code before you run it.

latestvk978dt0b037rw66n92smj2tj7d84c7e0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments