ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Yumpu

v1.0.0

Yumpu integration. Manage data, records, and automate workflows. Use when the user wants to interact with Yumpu data.

0· 50·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The skill declares itself as a Yumpu integration and instructs use of the Membrane CLI to interact with Yumpu. Required capabilities (network access, a Membrane account, installing @membranehq/cli) align with the described purpose. The SKILL.md is verbose and looks like generic capability scaffolding, but that is not inconsistent with an integration skill.
Instruction Scope
Instructions direct the user/agent to install and run the Membrane CLI and to authenticate via browser (or use a headless flow). The instructions do not request unrelated files, environment variables, or system-wide credentials in the visible portion. Because the skill is instruction-only, the CLI calls are the primary runtime surface — those calls will network to Membrane and then Yumpu, so trust in Membrane is required.
Install Mechanism
There is no registry install spec; the SKILL.md tells users to run `npm install -g @membranehq/cli`. Installing a public npm CLI globally is a common pattern but modifies the host environment and runs code from the npm registry (moderate risk). The package and domain referenced appear to be Membrane-related (getmembrane.com / @membranehq), not an unknown/personal URL.
Credentials
The skill does not declare or require environment variables, credentials, or config paths in the registry metadata. Authentication is handled interactively via the Membrane CLI (browser-based or headless code flow), which is proportionate to an integration that needs access to user Yumpu data.
Persistence & Privilege
The skill is not marked always:true, does not request elevated persistence, and is user-invocable. It does instruct installing a global CLI (which is a local change) but does not request to modify other skills or system-wide agent settings.
Assessment
This skill is instruction-only and uses the Membrane CLI to talk to Yumpu. Before installing or running it: 1) Verify you trust Membrane (@membranehq/getmembrane) because the CLI will handle auth and proxy requests to Yumpu. 2) Inspect the npm package (package page, maintainer, versions, and recent activity) before doing a global `npm install -g`. 3) Run CLI installs and tests on a non-production machine first if possible. 4) Be mindful that authenticating via the CLI grants the tool access to your Yumpu data — only authorize if you trust the provider and understand what scope you grant. 5) If you want higher assurance, request the skill author/publisher origin or a repository link for review; lack of an explicit registry install spec means the skill won’t auto-install but follows the CLI workflow documented in SKILL.md.

Like a lobster shell, security has layers — review code before you run it.

latestvk97adbwx14z8tkehfs6hfa7aw584fe0f

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments