ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Teamtailor

v1.0.2

Teamtailor integration. Manage data, records, and automate workflows. Use when the user wants to interact with Teamtailor data.

0· 68·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to integrate with Teamtailor and its SKILL.md clearly uses the Membrane CLI (membrane) and a Membrane account to connect and proxy requests. However, the registry metadata lists no required binaries or credentials even though the instructions require installing @membranehq/cli and performing membrane login. That metadata/instruction mismatch is incoherent and could mislead users about what the skill needs.
Instruction Scope
Instructions are focused on Teamtailor actions via the Membrane CLI and do not ask the agent to read unrelated local files or environment variables. Important runtime behavior: requests to Teamtailor are sent through Membrane's proxy (membrane request), so Teamtailor data and requests will traverse Membrane's servers. This is expected for this integration but is a central privacy/security consideration.
Install Mechanism
There is no formal install spec in the registry (instruction-only), but the SKILL.md tells users to run npm install -g @membranehq/cli. That is a straightforward npm global install from a public registry (moderate risk). The registry should have declared the dependency/binary requirement; the absence is an inconsistency to be aware of.
Credentials
The skill declares no required env vars and instructs you not to provide Teamtailor API keys directly (Membrane manages auth). Requiring a Membrane account (via browser auth) is proportionate to its design, but it does mean credentials and proxied data are held/handled by Membrane — verify you are comfortable with that third-party custody.
Persistence & Privilege
Skill is not marked always:true and does not request elevated or persistent agent-wide privileges. Autonomous invocation is allowed by default but is not combined with other high-risk flags here.
What to consider before installing
Before installing or using this skill: 1) Note the SKILL.md requires the Membrane CLI (membrane) and a Membrane account even though the registry metadata does not list these requirements — ensure you have Node/npm and are prepared to install @membranehq/cli from the npm registry. 2) Understand that Teamtailor API calls will be proxied through Membrane (getmembrane.com); review Membrane's privacy, security, and data retention policies because your candidate/job data will traverse their service. 3) Verify the skill's origin — check the referenced GitHub repo and the publisher identity — and prefer installing the Membrane CLI from the official npm package. 4) Do not share Teamtailor API keys to this skill (SKILL.md explicitly says to let Membrane handle auth); instead use the browser-based connection flow. 5) If you need stronger assurances, ask the publisher for an explicit dependency list or a signed release, or consider limiting the account permissions used for the Teamtailor connection.

Like a lobster shell, security has layers — review code before you run it.

latestvk979ac5d82g813qxvryhetx1js843anc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments