Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Totalexpert
v1.0.0Total Expert integration. Manage data, records, and automate workflows. Use when the user wants to interact with Total Expert data.
⭐ 0· 52·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name and description align with using Membrane to access Total Expert. However, the registry metadata lists no required binaries or config paths while the SKILL.md explicitly requires installing and using the @membranehq/cli; this mismatch is an incoherence (metadata should declare the CLI dependency).
Instruction Scope
SKILL.md confines actions to discovering and running Membrane-provided actions or proxying Total Expert API calls via Membrane. It does not instruct reading unrelated local files or exfiltrating data to third-party endpoints beyond Membrane/Total Expert. Note: proxying arbitrary API paths gives broad access to CRM data (expected for this integration but sensitive).
Install Mechanism
There is no formal install spec in the registry, but the instructions ask users to run `npm install -g @membranehq/cli`. Installing a global npm package is a moderate-risk install mechanism (public registry package). The absence of an install entry in metadata is an inconsistency and reduces transparency about what will be written to disk.
Credentials
The skill declares no required environment variables or config paths, yet it requires a Membrane account and the CLI will perform browser-based auth and likely store credentials locally (not declared). Additionally, using Membrane routes requests (and thus CRM data) through Membrane's service — this is proportionate to the stated purpose but is a privacy/security decision the user must consciously accept and verify.
Persistence & Privilege
The skill does not request persistent 'always' presence and does not modify other skills. Autonomous invocation is allowed by default (platform behavior). Be aware that the Membrane CLI will manage and refresh credentials and may store tokens/config in the user's environment; that persistence is not described in the registry metadata.
What to consider before installing
This skill appears to do what it says — it uses the Membrane CLI to access Total Expert — but take these precautions before installing: 1) The metadata omitted important operational details (it doesn't list the Membrane CLI or any config paths). Ask the publisher to update the manifest to declare the CLI dependency and where credentials are stored. 2) Installing the CLI requires a global npm install (@membranehq/cli) — verify the package and its publisher (repository, npm page) before running a global install. 3) Using Membrane means CRM requests and authentication will be proxied through Membrane's service and the CLI will store tokens locally; confirm you trust Membrane (getmembrane.com) and understand where credentials are persisted. 4) Consider testing in an isolated environment (or with a non-production Total Expert account) first. If you need higher assurance, request a declared install spec and explicit statements about local config paths and token storage from the skill author.Like a lobster shell, security has layers — review code before you run it.
latestvk97fassbvhevhvqf71vws6hzcn84525g
License
MIT-0
Free to use, modify, and redistribute. No attribution required.