ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Tines

v1.0.2

Tines integration. Manage data, records, and automate workflows. Use when the user wants to interact with Tines data.

0· 122·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md describes a Tines integration that operates via the Membrane CLI — this fits the stated purpose. However the registry metadata declares no required binaries or credentials while the instructions require Node/npm and the @membranehq/cli (membrane) CLI to be installed, a mismatch that should have been declared.
Instruction Scope
Instructions stay within the stated purpose: install Membrane CLI, create a connection, list/run actions, and proxy requests to the Tines API via Membrane. They do not instruct the agent to read unrelated local files or request unrelated credentials. Note: proxying arbitrary API requests through Membrane will cause network calls and may transmit Tines data to Membrane's servers (intended behavior for this integration).
Install Mechanism
There is no install spec in the registry (instruction-only), but SKILL.md tells users to install @membranehq/cli globally via npm. That is a reasonable install path (npm registry) but the manifest should have declared this dependency. Global npm installs require privileges and install code from a public registry — verify the package and publisher before installing.
Credentials
The skill declares no required environment variables or credentials, and the instructions explicitly direct using Membrane's hosted auth flow rather than asking for API keys. This is proportionate to the stated purpose. Be aware that Membrane will hold/proxy authentication to Tines.
Persistence & Privilege
The skill does not request always:true or any special privileges and is user-invocable only. It does not instruct modifying other skills or system-wide configuration. Note that the agent may invoke the membrane CLI (network calls) when allowed.
What to consider before installing
What to consider before installing: - The SKILL.md requires Node/npm and the @membranehq/cli ('membrane') but the registry metadata does not declare these — you will need to install them manually. Installing npm packages globally requires elevated privileges on some systems; review and trust the package publisher (@membranehq) first. - Membrane acts as a proxy and holds the auth lifecycle for Tines. Ensure you trust Membrane (privacy, security, and account access) before using it to manage sensitive Tines data. - Because the skill uses CLI commands that perform network requests (membrane action/run, membrane request), an agent invoking this skill can cause remote API calls and data transfers to Membrane/Tines. Confirm you are comfortable with that behavior. - Ask the skill author to update the registry manifest to list required binaries (node, npm, membrane) and optionally provide an install spec to avoid surprises. If you want to proceed: verify the npm package @membranehq/cli (publisher, downloads, repo), install it in a controlled environment, and test with a non-production Membrane/Tines account first. If you have security concerns about granting Membrane access to your Tines tenant, perform an independent integration review or use account-level least privilege and monitoring.

Like a lobster shell, security has layers — review code before you run it.

latestvk977fsqs4jhcjkfx6e9m98c2sn8438ha

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments