Tomba
v1.0.0Tomba integration. Manage data, records, and automate workflows. Use when the user wants to interact with Tomba data.
⭐ 0· 51·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description (Tomba integration) match the instructions: everything is done via the Membrane CLI and Membrane's proxy to Tomba. No unrelated services, env vars, or binaries are requested.
Instruction Scope
SKILL.md only tells the agent to install/use the Membrane CLI, authenticate via browser, create/connect to a Tomba connector, run actions, or proxy requests to the Tomba API. It does not instruct reading arbitrary local files, asking for unrelated credentials, or sending data to unexpected endpoints.
Install Mechanism
This is an instruction-only skill (no install spec). The README suggests installing @membranehq/cli via `npm install -g`, which is a normal but higher-privilege action (global npm install). Using npx (which the doc also demonstrates) or a local install avoids global package permissions. No downloads from untrusted URLs are requested.
Credentials
The skill requests no environment variables or local credentials (Membrane handles auth). This is proportionate, but it implies trust in Membrane: authentication occurs in-browser and credentials/session management are handled server-side by Membrane, so you should be comfortable delegating Tomba access to that service.
Persistence & Privilege
The skill does not request permanent presence (always:false) and does not attempt to modify other skills or system-wide configuration. Autonomous invocation is allowed (platform default) but not combined with other privilege escalation indicators.
Assessment
This skill appears to do what it says: it uses Membrane to talk to Tomba and asks you to install or run the Membrane CLI and authenticate in a browser. Before installing: (1) confirm you trust Membrane (https://getmembrane.com) because it will hold the connector credentials and act as a proxy to Tomba; (2) prefer using `npx` or a local CLI install instead of `npm install -g` to avoid granting global write privileges; (3) when creating the connection, review and limit any requested scopes/permissions in the OAuth/consent screen; and (4) if you require stricter isolation, run the CLI in a controlled environment (container or VM).Like a lobster shell, security has layers — review code before you run it.
latestvk974nr0s0we8qr6jhq0qwmh27584f6sx
License
MIT-0
Free to use, modify, and redistribute. No attribution required.