ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Xperiencify

v1.0.0

Xperiencify integration. Manage data, records, and automate workflows. Use when the user wants to interact with Xperiencify data.

0· 48·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description claim Xperiencify integration and the SKILL.md uses Membrane to reach Xperiencify — conceptually aligned. However the skill metadata lists no required binaries or credentials even though the instructions require the Membrane CLI (npm/@membranehq/cli), network access, and a Membrane account. That mismatch is a packaging inconsistency.
Instruction Scope
The SKILL.md confines actions to using the Membrane CLI to find connectors, run actions, and proxy requests to Xperiencify. It does not instruct reading unrelated files or exfiltrating environment variables, and explicitly advises not to ask users for API keys.
Install Mechanism
There is no formal install spec; the docs instruct installing @membranehq/cli via npm (global) or using npx. Installing from npm is a common pattern but has moderate risk compared with a vetted package manager formula; the metadata should have declared this requirement. Prefer npx to avoid a global install if you want to minimize system changes.
Credentials
The skill declares no required env vars or credentials, which matches its recommendation to use Membrane-managed connections (no local API keys). However SKILL.md does require a Membrane account and network access — these runtime requirements are not reflected in metadata and should be documented before install.
Persistence & Privilege
always is false and there is no install spec that writes files as part of the skill. The Membrane CLI will locally store authentication/session state after login (expected for a CLI), which is normal but means credentials are persisted on the host outside the skill bundle.
What to consider before installing
This skill appears to do what it says, but before installing: 1) Verify the Membrane package and domain (getmembrane.com and @membranehq on npm/GitHub) to ensure you're installing the legitimate CLI. 2) Note the SKILL.md requires npm/npx, network access, and a Membrane account even though metadata omits these — plan accordingly. 3) Prefer using npx @membranehq/cli@latest instead of a global npm install to avoid permanent system-wide changes. 4) When you create the connection, review the OAuth scopes and what data Membrane will access for your Xperiencify account. 5) If you do not fully trust the skill source, run the recommended membrane commands manually (instead of granting autonomous agent invocation) and confirm outputs before allowing the agent to act. 6) If you need more assurance, ask the publisher for an install spec and an explanation of why metadata omitted required binaries/requirements.

Like a lobster shell, security has layers — review code before you run it.

latestvk9740emfdqh0mk6ff3y15asds18487tz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments