ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Unlaunch

v1.0.0

Unlaunch integration. Manage data, records, and automate workflows. Use when the user wants to interact with Unlaunch data.

0· 44·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the instructions: this is an Unlaunch integration that uses Membrane as a proxy/connector. However, the skill metadata declares no required binaries or environment variables while SKILL.md requires the Membrane CLI (npm package) and network access; the metadata omission is inconsistent with the runtime steps.
Instruction Scope
The instructions are focused on installing the Membrane CLI, creating a connection, listing actions, running actions, and proxying API calls — all coherent with interacting with Unlaunch. They do not instruct reading arbitrary local files or exfiltrating unrelated data. The skill explicitly advises against asking users for API keys and relies on Membrane for auth.
Install Mechanism
Installation is via npm install -g @membranehq/cli (public npm registry). This is an expected mechanism for a CLI but does write a global binary and executes code from the npm registry — moderate risk compared to instruction-only skills. No direct downloads from arbitrary URLs are used.
Credentials
The skill requests no environment variables or local credentials and delegates authentication to Membrane (browser-based login and server-side credential handling). That is proportionate to the stated purpose. There are no requests for unrelated secrets.
Persistence & Privilege
The skill does not request always:true and does not modify system or other-skill configurations. It relies on an external CLI and Membrane for persistence of connections; agent autonomy is allowed (platform default).
What to consider before installing
This skill is an instruction-only integration that expects you to install the @membranehq/cli globally and sign in via a browser. Before installing, be aware: 1) the package will be installed from the public npm registry (global install), which modifies your system PATH; 2) the skill metadata does not declare this dependency — check you are comfortable installing and trusting @membranehq/cli; 3) the authentication is browser-based and handled by Membrane (you will not supply raw API keys locally). If you need a stricter review, inspect the @membranehq/cli package source/release and confirm the connector behavior on a non-production environment first.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fgp41jkwmvkmcm3p6pvxsg58488cv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments