ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Testimio

v1.0.0

Testim.io integration. Manage data, records, and automate workflows. Use when the user wants to interact with Testim.io data.

0· 49·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md clearly targets Testim.io integration and uses Membrane to handle auth and API proxying, which is coherent with the description. However, the registry metadata lists no required binaries or env vars while the runtime instructions require the 'membrane' CLI (npm install -g @membranehq/cli or npx usage). That mismatch between declared requirements and runtime instructions is an inconsistency.
Instruction Scope
Instructions are focused on using the Membrane CLI to create connections, list/run actions, and proxy Testim.io API requests. They do not instruct reading unrelated files or exporting environment variables. Note: the proxy capability can forward arbitrary API calls through Membrane (expected for an integration) so the external service will see proxied request contents.
!
Install Mechanism
There is no formal install spec in the registry, but SKILL.md tells the user to run 'npm install -g @membranehq/cli' (or use npx). A global npm install runs third‑party code and modifies the system; this is a moderate risk and should be done only from verified packages and authors. The lack of a registry-declared install requirement increases the chance users miss this step or its implications.
Credentials
The skill declares no required env vars and relies on Membrane to hold credentials server‑side, which explains the absence of local secrets. This is proportionate, but it does shift trust to the Membrane service (they will hold and refresh API credentials and see proxied traffic).
Persistence & Privilege
The skill is instruction-only, does not request always:true, and does not attempt to modify other skills or system-wide config. It does require installing a CLI (user action) but the skill itself does not persist or demand elevated platform privileges.
What to consider before installing
This skill appears to be a legitimate wrapper around the Membrane CLI for Testim.io, but note two things before installing: (1) SKILL.md requires the @membranehq/cli (it suggests 'npm install -g' or using npx) even though the registry metadata lists no required binaries — verify you are willing to install and run a third‑party npm package globally. Prefer using 'npx' or a local install if you want to avoid global changes. (2) Membrane will hold and refresh API credentials and will see proxied request payloads — ensure you trust getmembrane.com / the Membrane service and review their security/privacy docs. If you plan to proceed, verify the npm package and the GitHub repository (https://github.com/membranedev/application-skills) are genuine and published by a trusted maintainer; ask the publisher to update the registry metadata to declare the membrane CLI requirement so the dependency is explicit.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fh8atdk9r9h6pse5182e9418449a0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments