ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Workfront

v1.0.0

Workfront integration. Manage data, records, and automate workflows. Use when the user wants to interact with Workfront data.

0· 25·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description match a Workfront integration and the SKILL.md references network access and a Membrane account. That purpose aligns with the content provided. However, Workfront integrations normally require API credentials or an authorization flow; the registry metadata declares no required environment variables or primary credential, which is unexpected given the declared compatibility requirement (a Membrane account).
Instruction Scope
This is an instruction-only skill that relies on runtime network access. The visible SKILL.md header explicitly requires network access and a Membrane account; there are no code files. No instructions shown in the truncated content indicate reading local system files or unrelated environment variables, but the full SKILL.md was not provided here. You should inspect the complete SKILL.md for any steps that ask the agent to read local files, shell history, or system config, or to send data to endpoints other than Workfront/Membrane.
Install Mechanism
No install spec and no code files — the skill is instruction-only. This minimizes risk from arbitrary downloaded code or on-disk binaries.
!
Credentials
The SKILL.md says a Membrane account is required, but the registry lists no required env vars or primary credential. Workfront integrations typically need an API key / OAuth token; it's unclear whether authentication happens interactively, via the agent platform, or through Membrane. The lack of declared credentials is an inconsistency that should be clarified before use.
Persistence & Privilege
always is false and there are no install steps or indications the skill will persistently modify agent/system configuration. Autonomous invocation is allowed (platform default) — this is normal but increases impact if the skill is given broad permissions.
What to consider before installing
Before installing, review the full SKILL.md and confirm exactly how the skill authenticates to Workfront and Membrane: does it prompt you for credentials at runtime, rely on the platform's account, or expect environment variables? Prefer using a least-privilege Workfront test account or scoped API token. Verify that the skill sends data only to Workfront or Membrane endpoints (check hostnames/URLs), and confirm Membrane (getmembrane.com / repository) is a trusted provider for this integration. Because this is instruction-only and uses network access, ensure you have logging/auditing enabled so you can revoke tokens if unexpected behavior occurs. If you need higher assurance, ask the publisher for a concise summary of the exact network endpoints and auth flow used by the skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c2xfvzs0953wd8z2dk1g0g58470rc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments