ClawHub

Streamtime

v1.0.2

Streamtime integration. Manage Organizations. Use when the user wants to interact with Streamtime data.

0· 80·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name and description match the instructions: this is a Streamtime integration using Membrane as a proxy/connector. Required capabilities (network access, Membrane account) are appropriate for the stated purpose.
Instruction Scope
All runtime instructions are scoped to discovering/creating a Membrane connection and invoking Streamtime actions or proxied API calls. The SKILL.md tells the agent to run npx @membranehq/cli to authenticate, list connections, run actions, and proxy requests. It documents where credentials are stored (~/.membrane/credentials.json). The instructions do not request unrelated files, env vars, or other system credentials.
Install Mechanism
This is an instruction-only skill, but it instructs use of npx @membranehq/cli@latest which will fetch and execute a package from the npm registry at runtime. That is expected for this integration but introduces typical npm supply-chain risk (remote code executed, no explicit integrity verification or pinned version).
Credentials
The skill declares no required environment variables or credentials. It relies on Membrane to manage auth rather than asking for local API keys, which is proportional to the described functionality.
Persistence & Privilege
always:false (not force-included). The workflow results in persistent local credentials stored at ~/.membrane/credentials.json and routes API calls via Membrane's service, so user tokens and proxied request payloads will be stored/handled by the Membrane tooling/service.
Assessment
This skill appears to do what it says: it uses the Membrane CLI to talk to Streamtime. Before installing or using it, consider: (1) npx @membranehq/cli@latest will download and run remote code from npm each time — if you need stronger guarantees, prefer a pinned version and inspect the package source. (2) Authentication is performed via Membrane and credentials are stored locally at ~/.membrane/credentials.json and are used to make proxied requests through Membrane's servers — verify you trust Membrane's service and privacy policy for any sensitive data. (3) If you care about limiting agent autonomy, note this skill can be invoked by the agent by default; restrict autonomous use in agent settings if needed. If you want a deeper review, provide the npm package repository or Membrane service documentation so I can check the package maintainer, repository, and release provenance.

Like a lobster shell, security has layers — review code before you run it.

latestvk977gq1w0k7t29rqnc0b4pj0mn843nvc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments