ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Time Doctor

v1.0.0

Time Doctor integration. Manage data, records, and automate workflows. Use when the user wants to interact with Time Doctor data.

0· 23·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name and description say this is a Time Doctor integration and the SKILL.md exclusively documents using the Membrane CLI to connect to Time Doctor and run actions or proxied requests — this is coherent with the stated purpose.
Instruction Scope
Instructions are narrowly scoped to installing and using the Membrane CLI, creating connections, listing actions, running actions, and proxying requests to Time Doctor. They do not instruct reading unrelated files or environment variables. Important note: using the proxy means request payloads (including any data you pass) will be sent to Membrane's servers.
Install Mechanism
The registry has no formal install spec, but SKILL.md tells users to run 'npm install -g @membranehq/cli' and shows npx usage. Installing a global npm package is a typical but non-trivial action — it's a public npm package (traceable), not an arbitrary download, but the manifest does not declare the install step so automation won't perform it for you.
Credentials
The skill declares no required environment variables or local config. It relies on Membrane for auth via browser-based login, so no local API keys are requested — this is proportionate to the stated design.
Persistence & Privilege
The skill is not always-included and uses normal autonomous invocation defaults. The practical privacy/privilege implication is that Membrane will act as a proxy for API calls and will observe request and response data; consider the risk of exposing sensitive information to a third-party service.
Assessment
This skill appears to do what it claims, but you should: (1) understand that using it requires installing the @membranehq/cli globally (npm install -g) — verify the package and its GitHub repo before installing; (2) accept that Membrane will host and proxy authentication and API requests, so any data you send through 'membrane request' or actions will be visible to Membrane (check their privacy/security docs and terms); (3) avoid passing highly sensitive secrets or PII through the proxy unless you trust the service and your organization's policy permits it; and (4) if you prefer not to trust an external proxy, consider a direct Time Doctor integration that uses your own credentials or infrastructure. If you want a deeper assessment, provide the exact @membranehq/cli package revision (or link to the package repo/release) so I can inspect what that CLI does when installed.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fq6cwq456x5f1040jmf3azs84489y

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments