ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Spotinst

v1.0.0

Spotinst integration. Manage data, records, and automate workflows. Use when the user wants to interact with Spotinst data.

0· 45·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The skill claims to integrate with Spotinst and all runtime instructions center on using the Membrane CLI to create connections, list actions, and proxy requests to Spotinst. Requesting a Membrane account and network access is consistent with that purpose. Minor mismatch: registry metadata lists no required binaries, but the SKILL.md instructs installing @membranehq/cli via npm.
Instruction Scope
SKILL.md confines its instructions to installing and using the Membrane CLI (login, connect, action list/run, request proxy). It does not instruct reading unrelated local files, environment variables, or modifying other skills. It does, however, rely on browser-based auth and sending API requests through Membrane's proxy, which means Spotinst data and API calls will flow through Membrane's service.
Install Mechanism
There is no registry install spec, but the instructions tell the user to run npm install -g @membranehq/cli (or npx). Installing an npm CLI from the public registry is a common pattern and expected here, but it is a package install that will run code on the user's machine. The registry not declaring this requirement is an informational inconsistency the user should notice.
Credentials
The skill declares no required environment variables or credentials and explicitly says not to ask the user for API keys because Membrane manages auth server-side. That is proportionate. Note: using Membrane means authentication tokens/requests are handled by a third party (Membrane); no local secrets are requested by the skill itself.
Persistence & Privilege
The skill is not force-installed (always: false) and does not request system‑wide config changes in its instructions. It can be invoked autonomously (default), but that is the platform norm and not by itself a red flag.
Assessment
This skill is coherent for interacting with Spotinst through Membrane, but before installing: 1) Understand that API calls and Spotinst data will be proxied through Membrane (a third party) — review Membrane's privacy and security practices and your organization's policy. 2) The SKILL.md asks you to install an npm CLI (global install may require admin rights); you can use npx to avoid global installs. 3) Verify the Membrane connector and the browser auth flow when creating connections; do not paste API keys into chat. 4) Note the registry metadata omitted the CLI install requirement — expect to run npm/npx to use this skill. If you need higher assurance, confirm the @membranehq/cli package source and contents (npm/GitHub) before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk973kd09chdv4r6hx9acg9amp5848h7z

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments