ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Zbrain

v1.0.2

Zbrain integration. Manage data, records, and automate workflows. Use when the user wants to interact with Zbrain data.

0· 59·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md describes a Zbrain integration that relies on the @membranehq/cli and a Membrane account. However, the registry metadata declares no required binaries, env vars, or primary credential. That mismatch (instruction requires a CLI/npm install and network+account, registry claims none) is incoherent and should be clarified.
Instruction Scope
The runtime instructions stay within the stated purpose: they describe installing the Membrane CLI, logging in, creating connections, listing actions, running actions, and proxying requests to Zbrain via Membrane. They do not instruct reading unrelated files or exfiltrating arbitrary host data.
!
Install Mechanism
This is an instruction-only skill with no install spec in the registry, yet SKILL.md instructs users to run `npm install -g @membranehq/cli` (and shows npx usage). The registry should either declare this dependency or provide an install spec. Installing a global npm package executes third-party code on the host — verify package provenance and publisher before installing.
Credentials
The skill does not request host environment variables or secrets; it explicitly recommends using Membrane to avoid local API keys. That is proportionate to the described integration. Note: it does require a Membrane account and network access (mentioned in SKILL.md) which the registry did not surface.
Persistence & Privilege
The skill is not marked always:true and does not request persistent system-wide privileges. It only instructs using a CLI and browser-based auth flow; it does not ask to modify other skills or agent configs.
What to consider before installing
This skill's instructions are consistent with a Zbrain integration using Membrane, but the registry metadata omitted the real install/runtime requirements. Before installing: (1) verify the @membranehq/cli package and its publisher on npm/GitHub; (2) be aware you will need network access and a Membrane account and the login flow opens a browser or requires copying a code; (3) prefer using `npx` if you want to avoid a global install, or install in an isolated environment; (4) ask the skill author/registry owner to update the metadata to declare the CLI dependency and network/account requirements so the dependency is explicit. If you don't trust Membrane/getmembrane.com or the npm package, do not install the CLI.

Like a lobster shell, security has layers — review code before you run it.

latestvk9721x6m9a2jha2n1c5g0smk3d842zta

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments