Yonder
v1.0.0Yonder integration. Manage data, records, and automate workflows. Use when the user wants to interact with Yonder data.
⭐ 0· 54·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The SKILL.md describes integrating with Yonder using the Membrane CLI, which matches the skill's stated purpose. However, the registry metadata did not declare the external dependency on the Membrane CLI/npm — the README explicitly tells operators to run `npm install -g @membranehq/cli` or use `npx`. This is reasonable for the integration but is a divergence from the registry's 'no required binaries' claim.
Instruction Scope
Instructions stay focused on discovering actions, running them, and proxying arbitrary requests to Yonder via Membrane. This is within scope, but the proxy feature (`membrane request CONNECTION_ID /path/to/endpoint`) allows arbitrary API calls (read/write) to the Yonder API through Membrane — a powerful capability that deserves explicit user awareness and consent.
Install Mechanism
There is no install spec in the package registry (instruction-only), but the SKILL.md instructs installing a third-party npm package globally (`npm install -g @membranehq/cli`) or using `npx`. Installing an npm package executes third-party code on the host and writes binaries; this is normal for CLI integrations but should be reviewed. The install source is a named npm package (not a random URL), which is lower risk than arbitrary downloads.
Credentials
The skill requests no environment variables or local credentials. Authentication is delegated to Membrane via interactive login/browser flow; no unexpected credentials are requested by the skill itself. Note: using Membrane means you are trusting their service to hold and refresh third-party API credentials.
Persistence & Privilege
The skill does not request always:true, does not declare system-wide config changes, and is user-invocable. It relies on the Membrane CLI and the user's interactive login; no elevated or hidden persistence is requested by the skill itself.
Assessment
This skill appears to do what it says: it uses Membrane to talk to Yonder. Before installing or running it, consider the following:
- Review the @membranehq/cli package (npm page and GitHub repo) to ensure you trust the publisher before running a global npm install. Prefer using `npx` if you want to avoid a global install.
- Be aware that the Membrane proxy command can perform arbitrary API calls on your behalf (read/write). Only create connections and run actions you trust, and review what commands an agent will run before granting autonomous invocation.
- Understand that authentication is handled server-side by Membrane — you are trusting their service to store and refresh Yonder credentials. Review Membrane's privacy/security docs and your organizational policy before connecting sensitive accounts.
- If you need tighter controls, run the CLI in an isolated environment (container or dedicated machine), and avoid granting the agent broad autonomous rights to run the commands listed in the SKILL.md.Like a lobster shell, security has layers — review code before you run it.
latestvk978f315xpjbz2t7tjyn92gfg184dnmy
License
MIT-0
Free to use, modify, and redistribute. No attribution required.