ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Specific

v1.0.2

Specific integration. Manage data, records, and automate workflows. Use when the user wants to interact with Specific data.

0· 79·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description and runtime instructions consistently describe a Membrane-backed integration for 'Specific' (discover connectors, run actions, or proxy requests). That capability matches the requests in SKILL.md. However the SKILL.md contains out-of-place text (a placeholder sentence: "I don't have enough information..." and an unrelated "Official docs" link to MDN's eval page) which is incoherent with the stated purpose and looks like copy/paste or a documentation error.
Instruction Scope
Instructions are self-contained and focused on using the @membranehq/cli to authenticate, list connectors/actions, run actions, or proxy API requests. That scope aligns with the described purpose. Note: proxying requests via Membrane means requests (and the proxied auth headers/tokens) will be sent through Membrane's servers — this is expected but important for privacy/authority considerations.
Install Mechanism
There is no install spec in the registry (instruction-only), but SKILL.md tells users to install the Membrane CLI via npm (npm install -g @membranehq/cli). Asking users to install a third-party global npm package is reasonable for this integration but requires verifying the package author/publisher before installing globally.
Credentials
The skill declares no required env vars or credentials and specifically instructs to let Membrane handle credentials. That is proportionate. Keep in mind Membrane (the service) will hold and refresh the third-party credentials for connections you create, so you are delegating credential custody to that vendor.
Persistence & Privilege
The skill is not always-enabled, is user-invocable, has no install-time persistence declared, and doesn't request system-wide changes. No elevated or persistent privileges are requested by the skill metadata.
What to consider before installing
Before installing/use: 1) Verify the @membranehq/cli npm package and the Membrane project (publisher, GitHub repo, homepage) to ensure you're installing the authentic CLI. 2) Understand that Membrane will hold and proxy your third-party service credentials for connections you create — if that is a concern, review Membrane's privacy/security docs and consider using a low-privilege/test account. 3) Don't paste secrets into chat; follow the 'membrane login' browser flow as instructed. 4) Ask the skill author to fix the SKILL.md (remove or explain the unrelated MDN eval link and placeholder sentence) — those lines look like copy/paste errors and reduce confidence in the package. 5) If you must proceed, test with a limited/test tenant or account first.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e218rd1wcq396msn989khq5843ja2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments