ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Amara

v1.0.2

Amara integration. Manage data, records, and automate workflows. Use when the user wants to interact with Amara data.

0· 116·0 current·0 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (Amara integration) match the runtime instructions: the SKILL.md instructs using the Membrane CLI to connect to Amara, list actions, run actions, and proxy requests — all coherent with managing Amara data.
Instruction Scope
Instructions are focused on installing and using the Membrane CLI, creating connections, listing actions, running actions, and proxying API requests. They do not ask the agent to read unrelated files, request unrelated environment variables, or transmit data to unexpected third parties beyond Membrane/Amara.
Install Mechanism
No packaged install spec in registry, but SKILL.md directs users to install a global npm package (npm install -g @membranehq/cli). Installing a global npm CLI executes third-party code on the host (moderate risk) but this is proportional to the stated need for a CLI; verify the package source before installing.
Credentials
The skill declares no required environment variables or credentials. It relies on Membrane's browser-based login and connection objects for auth, which is appropriate for a connector-style integration. There are no requests for unrelated secrets or system config paths.
Persistence & Privilege
The skill is instruction-only, has always:false, and does not request persistent privileges or attempt to modify other skills or system-wide settings. Autonomous invocation is allowed (platform default) but not combined with other red flags.
Assessment
This skill is coherent: it tells the agent to use the Membrane CLI to connect to Amara and run actions. Before installing or running commands, verify you trust the Membrane project and the npm package (@membranehq/cli) because installing a global npm CLI runs third-party code on your machine. Expect a browser-based login flow that creates a connection stored by Membrane (you do not need to provide raw API keys). If you need stronger assurances, review the @membranehq/cli package source, repository, and privacy/security docs at getmembrane.com and the GitHub repo before proceeding.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b9ekktzvfnpj110typp5f698437cg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments