Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Timecamp
v1.0.2TimeCamp integration. Manage data, records, and automate workflows. Use when the user wants to interact with TimeCamp data.
⭐ 0· 61·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md describes a straightforward TimeCamp integration via the Membrane CLI, which matches the skill name and description. However, the registry metadata declares no required binaries or env vars while the instructions explicitly require installing and running the Membrane CLI (npm -g @membranehq/cli) and using browser-based auth. Declaring 'no required binaries' is inconsistent with runtime instructions (npm/node and the 'membrane' binary will be needed).
Instruction Scope
Instructions stay focused on TimeCamp tasks (listing/connecting actions, running proxied API requests). They do not instruct reading unrelated files or environment variables. One notable point: the skill tells the agent to use Membrane's proxy to perform arbitrary requests to the TimeCamp API — this means TimeCamp data and auth flows are routed through Membrane's servers, which is expected for this design but is an external-data-flow/privacy consideration the user should be aware of.
Install Mechanism
There is no formal install spec in the registry metadata, but SKILL.md instructs a global npm install of @membranehq/cli. npm is a public registry (moderate risk) and a global install will place a binary on PATH. The skill not declaring this requirement is an inconsistency; users should verify the package name and source before installing.
Credentials
The skill does not request environment variables or secrets in metadata and the instructions explicitly advise not to ask users for API keys, instead using Membrane-managed connections. No unrelated credentials are requested.
Persistence & Privilege
The skill is instruction-only, has no install script, no code files, and does not request always:true or other elevated persistence. It does rely on an external account (Membrane) and browser-based login, which is normal for this integration pattern.
What to consider before installing
This skill appears to be a legitimate TimeCamp integration that uses Membrane's CLI and proxy service, but there are a few practical and privacy things to check before installing:
- The SKILL.md expects you to install the Membrane CLI (npm -g @membranehq/cli) and to have Node/npm available; the skill metadata did not list these required binaries — ensure you have Node/npm and that you trust the npm package source before running a global install.
- Membrane will act as a proxy for TimeCamp API calls and will manage credentials server-side. That means TimeCamp data and auth flows will pass through Membrane's service; review Membrane's privacy, terms, and security posture and ensure you are comfortable granting that level of access.
- The skill opens browser-based auth flows; if you are in a headless or restricted environment, follow the headless login steps carefully.
- Because the metadata omits the install requirement, consider running the CLI install in an isolated environment (container/VM) or confirming the package and repo (https://github.com/membranedev/application-skills and the @membranehq/cli npm page) before proceeding.
If you need higher assurance, request the publisher to update metadata to declare required binaries (npm/node and membrane) and provide a direct link to the CLI release or package page.Like a lobster shell, security has layers — review code before you run it.
latestvk97835n46v6n4fyjm3exwq7a998431fy
License
MIT-0
Free to use, modify, and redistribute. No attribution required.