ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Tabnine

v1.0.0

Tabnine integration. Manage data, records, and automate workflows. Use when the user wants to interact with Tabnine data.

0· 26·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The skill's stated purpose (manage Tabnine data via Membrane) matches the runtime instructions: it instructs the agent to use the Membrane CLI and Membrane connections to interact with Tabnine. One minor inconsistency: registry metadata lists no required binaries while the SKILL.md explicitly instructs installing the @membranehq/cli.
Instruction Scope
Instructions are narrowly scoped to using the Membrane CLI to create connections, list actions, run actions, and proxy API requests to Tabnine. They do not instruct reading unrelated files or local secrets. Important operational detail: requests and authentication happen through Membrane servers, so Tabnine request payloads and authentication flows will be proxied/stored by Membrane—this is explicit in the file and relevant to privacy.
Install Mechanism
There is no formal install spec in the registry metadata, but SKILL.md asks users to run `npm install -g @membranehq/cli` (global npm install). Installing a CLI from npm is a common step for this use case, but the lack of an install spec in the registry metadata is a documentation mismatch and you should verify the npm package name and its reputation before installing (typosquatting risk).
Credentials
The skill declares no required environment variables or credentials and the instructions explicitly say not to ask users for API keys, instead using Membrane-managed connections. This is proportionate. Note: trusting Membrane with auth means credentials and proxied API calls are handled server-side by an external service, so consider the privacy/trust implications.
Persistence & Privilege
The skill does not request always-on inclusion, does not modify other skills, and is instruction-only (no files written by the skill itself). Normal autonomous invocation is allowed (platform default) and appropriate for this integration.
Assessment
This skill is coherent: it directs the agent to use the Membrane CLI to connect to Tabnine and does not ask for local secrets. Before installing or using it: (1) confirm you trust Membrane (https://getmembrane.com) because your Tabnine API calls and auth will be proxied and handled server-side; (2) verify the npm package name (@membranehq/cli) and its reputation to avoid typosquatting; (3) be aware the SKILL.md asks you to perform a global npm install even though the registry metadata doesn't list required binaries—this is a documentation mismatch you may want to clarify; (4) don't provide local API keys to the agent—use the provided connection flow so credentials are handled by Membrane. If you need higher assurance, review Membrane's privacy/security docs and the referenced repository before proceeding.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c9sr3drfnt2mwff1bfbadkx846hn3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments