ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Teamsupport

v1.0.2

TeamSupport integration. Manage data, records, and automate workflows. Use when the user wants to interact with TeamSupport data.

0· 54·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md clearly requires the @membranehq/cli, a Membrane account, and network access to proxy TeamSupport API calls. The registry metadata, however, lists no required binaries, env vars, or config paths. The need to install a CLI and to authenticate with an external service should have been declared; the omission is an incoherence.
Instruction Scope
The instructions are narrowly focused on using Membrane to interact with TeamSupport (listing actions, running actions, or proxying requests). They do not ask the agent to read unrelated files or environment variables. They do instruct global npm installs and browser-based auth flows, which are within scope but require user interaction and trust in the Membrane service.
!
Install Mechanism
There is no formal install spec in the manifest; instead SKILL.md tells the user to run `npm install -g @membranehq/cli` (or use npx). A global npm install modifies the host environment and should have been reflected in requirements. While using the public npm package is typical, the manifest omission and the fact it requires network/download/install is a risk to surface.
Credentials
The skill does not request any environment variables or API keys in the manifest, and SKILL.md explicitly advises not to ask users for TeamSupport API keys (Membrane manages auth). That is proportionate — however it means credentials are held/managed by Membrane's service, so you should evaluate whether sending TeamSupport data via Membrane aligns with your privacy/security policies.
Persistence & Privilege
The skill is not always-included and does not request elevated platform privileges. It is user-invocable and can be invoked autonomously per platform defaults; this is expected for skills and not a standalone concern here.
What to consider before installing
Before installing or using this skill: (1) be aware that it requires installing the @membranehq/cli (global npm install) and a Membrane account — the registry entry did not declare these requirements, which is an inconsistency; (2) verify the identity and trustworthiness of the @membranehq/cli package on npm and the Membrane operator (review package publisher, GitHub repo, and recent activity); (3) understand that Membrane will proxy requests to TeamSupport and will hold/refresh credentials server-side — confirm that your organization is comfortable with that data flow and review what permissions the connector requests during the browser auth flow; (4) if you are concerned about installing a global npm package, run it in an isolated environment (container or VM) or prefer using npx for ephemeral execution; (5) ask the publisher to update the manifest to declare required binaries/network/account requirements so the skill metadata matches its runtime needs.

Like a lobster shell, security has layers — review code before you run it.

latestvk977yxs39gf7fqyrebk04wgtmn843dew

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments