ClawHub

Veracode

v1.0.2

Veracode integration. Manage data, records, and automate workflows. Use when the user wants to interact with Veracode data.

0· 125·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description match the runtime instructions: the SKILL.md tells the agent to interact with Veracode via the Membrane CLI (connect, list actions, run actions, proxy requests). There are no unrelated required env vars, binaries, or config paths.
Instruction Scope
Instructions ask the user/agent to install and run the @membranehq/cli, perform membrane login (browser-based auth), create connections, run actions, and proxy raw API requests through Membrane. This is expected for a connector, but proxying arbitrary endpoints means the CLI could be used to send arbitrary requests — review what data you pass through it.
Install Mechanism
No packaged install spec is included in the skill bundle; the SKILL.md recommends installing @membranehq/cli via npm (global). Installing a global npm package is a common choice but carries the usual risks of executing third-party package install scripts — verify package provenance and audit the package if you have high assurance requirements.
Credentials
The skill declares no required environment variables or credentials and explicitly directs the user to let Membrane handle credentials server-side. That is proportionate for a connector skill. There are no requests for unrelated secrets.
Persistence & Privilege
The skill does not set always:true and does not request system-wide configuration changes. Agent autonomous invocation is allowed (platform default) but the skill itself does not demand persistent elevated privileges.
Assessment
This skill is coherent: it uses Membrane (a third-party service) to access Veracode and does not ask for local secrets. Before installing/using it: 1) Verify you trust Membrane (review https://getmembrane.com, their privacy/TOS, and the @membranehq/cli npm package and GitHub repo). 2) Prefer least-privilege: create a dedicated Veracode connection with minimal scopes rather than using highly privileged accounts. 3) Be aware npm install -g runs third-party code — inspect the package if you need high assurance. 4) When using the 'membrane request' proxy, avoid sending any sensitive data through it unless you trust Membrane's handling of that data. 5) If you need stricter guarantees, consider using Veracode’s official APIs directly with controlled credentials instead of a third-party proxy.

Like a lobster shell, security has layers — review code before you run it.

latestvk9728m9hvga16yq5mz6n17gpm58436jj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments