ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Workday

v1.0.2

Workday integration. Manage Organizations, Deals, Leads, Projects, Pipelines, Goals and more. Use when the user wants to interact with Workday data.

0· 278·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill's name and description (Workday integration) align with the instructions, which direct the user to use the Membrane CLI to connect to Workday. One minor mismatch: the registry metadata lists no required credentials/env vars, but SKILL.md explicitly says a valid Membrane account and network access are required. This is a modest metadata omission rather than a capability mismatch.
Instruction Scope
All runtime instructions are scoped to installing and using the Membrane CLI (npm package) and invoking Membrane commands (login, connect, action list/run, request). The SKILL.md does not instruct reading unrelated files, environment variables, or sending data to unexpected endpoints outside the Membrane/Workday flow.
Install Mechanism
This is an instruction-only skill (no install spec). It tells users to run `npm install -g @membranehq/cli`. Installing a global npm package is expected for a CLI-based skill, but users should be aware of the usual risks of installing packages globally from npm and ensure the @membranehq package is trusted and up-to-date.
Credentials
The skill does not request environment variables from the registry metadata, and there are no required config paths. However, SKILL.md requires a Membrane account (and implicitly Workday credentials managed via Membrane). That is proportionate to the skill's function but should be noted: authentication is delegated to Membrane rather than via explicit env vars in the skill.
Persistence & Privilege
The skill is not always-on (always:false), does not request elevated system privileges, and does not include install scripts that modify other skills or system-wide settings. Autonomous invocation by the model is allowed (platform default) but is not combined with other high-risk indicators.
Assessment
This skill is instruction-only and expects you to use the Membrane CLI to interact with Workday. Before installing or using it: (1) confirm you trust the @membranehq/cli npm package and the getmembrane.com project; (2) be aware you'll need a Membrane account and to authenticate (browser-based flow or headless complete code); (3) installing a global npm package requires local privileges—review the package and your environment's security policy; (4) the skill delegates all Workday auth to Membrane, so review what Workday access the Membrane connector will request and whether you want that delegated; (5) the agent can invoke the skill autonomously by default—if you want to limit autonomous calls, adjust agent/skill policies accordingly.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bjdyqa828f3d4wer6m9g1xn842qy8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments