ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ahrefs

v1.0.2

Ahrefs integration. Manage Projects. Use when the user wants to interact with Ahrefs data.

0· 238·0 current·0 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's purpose (Ahrefs integration) aligns with the runtime instructions (using Membrane to talk to Ahrefs). However, the skill metadata lists no required binaries while SKILL.md explicitly requires the 'membrane' CLI — an inconsistency that affects install/runtime expectations.
Instruction Scope
The SKILL.md stays on‑topic: it instructs installing and using the Membrane CLI, running connector/connect/action commands and performing browser-based auth. It does not ask the agent to read unrelated system files, secrets, or exfiltrate data to unexpected endpoints.
Install Mechanism
The instructions ask you to install @membranehq/cli globally via npm (a public registry). This is a moderate-risk install because it introduces third‑party code to the system; the SKILL.md does not include an automated install spec and leaves installation to the user/agent.
Credentials
No environment variables or credentials are declared in the skill metadata. The integration relies on the user's Membrane account and browser-based auth to obtain Ahrefs access, which is proportional, but requires trusting Membrane with connector access to Ahrefs data.
Persistence & Privilege
The skill does not request always:true and is user-invocable. It doesn't attempt to modify other skills or system-wide settings in the instructions, so requested privileges are limited.
What to consider before installing
This skill appears to legitimately wrap Ahrefs via the Membrane CLI, but there are a few things to check before installing: - The SKILL.md requires the 'membrane' CLI but the skill metadata does not declare that binary. Confirm the runtime environment will have the membrane CLI available (or be allowed to install it). - Installing @membranehq/cli globally (npm install -g) brings third‑party code onto your system — verify the package author, check the package's npm page, and prefer installing a pinned version. Run npm audit/verify signatures if possible. - The Membrane account and CLI will broker access to Ahrefs on your behalf; ensure you trust Membrane with connector access and understand what data it can access. Consider creating least-privilege accounts if supported. - If running in a headless environment, confirm the headless auth flow described works for your setup and that no sensitive tokens are exposed in command output or logs. If you want to proceed, ask the skill owner to update metadata to declare 'membrane' as a required binary and to provide an explicit install spec and recommended package version to reduce ambiguity.

Like a lobster shell, security has layers — review code before you run it.

latestvk972cbxmsqe0fasar1j2yr2fds842xt6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments