Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Tellent
v1.0.0Tellent integration. Manage data, records, and automate workflows. Use when the user wants to interact with Tellent data.
⭐ 0· 53·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (Tellent integration) aligns with the instructions to use Membrane to connect to a talent-management service. However the SKILL.md's 'Official docs' link points to developers.entelo.com (Entelo) — a likely copy/paste or documentation mismatch that should be clarified. Requiring the Membrane CLI is reasonable for a Membrane-based integration, but the Entelo reference is an inconsistency.
Instruction Scope
All runtime instructions are limited to installing and using the Membrane CLI (login flows, listing/creating connections, running actions, proxying requests). The instructions do not tell the agent to read unrelated system files or environment variables. They do rely on browser-based auth and on sending API requests through Membrane's proxy, which means user data/credentials will be handled by Membrane's service.
Install Mechanism
This is an instruction-only skill (no automatic install), and it tells the user to run 'npm install -g @membranehq/cli'. Installing a global npm package is a reasonable way to obtain a CLI, but it carries the usual npm risk (code from the package will run on the user's machine). The skill does not provide a signed release URL or repository details for the CLI binary itself; verify the package publisher on npm or use a scoped/local install if you prefer.
Credentials
The skill requests no environment variables, no credentials, and no config paths in its manifest. The SKILL.md explicitly instructs not to request API keys locally and to create a Membrane connection instead, which is proportionate. Note: using Membrane implies you must trust Membrane's servers to manage credentials and proxy API calls.
Persistence & Privilege
The skill is not always-enabled and has no special persistence or privileges in the manifest. It does not request to modify other skills or system-wide settings.
What to consider before installing
What to check before you install/use this skill:
- Confirm the documentation mismatch: SKILL.md references Entelo docs while the skill claims Tellent — ask the author which API/service this actually targets.
- Verify the CLI package: search npm for @membranehq/cli and confirm the publisher and package contents (or prefer installing it in a disposable environment or via npx to avoid a global install).
- Understand trust implications: Membrane's workflow proxies requests and manages credentials server-side, so you are trusting Membrane with access tokens and request payloads. Review Membrane's privacy/security docs and terms before connecting sensitive data.
- Prefer least privilege/testing: create a Membrane account with sandbox/test data or limited-scoped connection for initial testing rather than connecting production HR systems immediately.
- If the author provides a source repo or signed release for the CLI or clarifies the Entelo/Tellent discrepancy, that would increase confidence." }Like a lobster shell, security has layers — review code before you run it.
latestvk977hhpj3kq1q54ay4v0zk2d7184cp0h
License
MIT-0
Free to use, modify, and redistribute. No attribution required.