ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Userpilot

v1.0.0

Userpilot integration. Manage data, records, and automate workflows. Use when the user wants to interact with Userpilot data.

0· 40·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's described purpose (Userpilot integration) matches the instructions (use Membrane CLI and Membrane connections to access Userpilot). However the registry metadata declares no required binaries or credentials, while SKILL.md explicitly requires installing @membranehq/cli and a Membrane account — an omission that is inconsistent and should have been declared.
Instruction Scope
SKILL.md stays on-topic: it instructs the agent/operator to install/use the Membrane CLI, create a connection, list and run actions, or proxy API requests to Userpilot. It does not instruct reading unrelated files, asking for arbitrary secrets, or exfiltrating data to unknown endpoints.
!
Install Mechanism
The skill asks the user to install a third‑party CLI from npm (npm install -g @membranehq/cli) and suggests npx usage. Installing a global npm package modifies the system environment and pulls code from the npm registry (moderate supply‑chain risk). The registry entry contains no formal install spec, so the required binary is only present in SKILL.md — another inconsistency.
Credentials
The skill requests no environment variables or local credentials and explicitly says Membrane handles auth. This is proportionate for a connector-style integration, but it does require a Membrane account and network access. You should evaluate what privileges the Membrane connection will have in your Userpilot account before granting access.
Persistence & Privilege
The skill does not request always: true, does not declare persistent system modifications, and does not indicate it will change other skills or global agent settings. Autonomous invocation is allowed by default (normal) but not uniquely privileged here.
What to consider before installing
This skill is coherent in purpose (it uses Membrane to talk to Userpilot) but the package metadata omits the CLI dependency and install steps that SKILL.md requires. Before installing or running it: (1) confirm you trust the @membranehq npm package (check its npm page and GitHub repo and recent maintainers/releases); (2) prefer using npx for one‑off use instead of a global npm -g install to limit system changes; (3) review what account/permissions the Membrane connector will get on your Userpilot workspace; (4) if you need stronger assurance, ask the publisher to update the registry metadata to declare required binaries and install steps, or supply a signed install spec; (5) do not provide local API keys — follow the SKILL.md advice to create a Membrane connection rather than sharing secrets locally.

Like a lobster shell, security has layers — review code before you run it.

latestvk976m3e8ebsndrfxva0mefm1wx84f7xv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments