ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Appfire

v1.0.0

Appfire integration. Manage data, records, and automate workflows. Use when the user wants to interact with Appfire data.

0· 47·0 current·0 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name/description (Appfire integration) aligns with the runtime instructions (using Membrane to talk to Appfire). However the SKILL.md requires installing and running the Membrane CLI (npm / npx / membrane) even though the registry metadata lists no required binaries — a metadata/instruction mismatch.
Instruction Scope
Instructions are focused on discovering connections and running actions via the Membrane CLI and proxying requests to Appfire. The instructions do not ask the agent to read unrelated local files or environment variables. They do, however, instruct use of npx/@membranehq/cli@latest which will fetch and execute remote code at runtime.
!
Install Mechanism
No formal install spec in the registry, but SKILL.md directs users to run `npm install -g @membranehq/cli` and uses `npx ...@latest`. Installing global npm packages or invoking npx downloads and executes code from the npm registry (moderate risk). The skill does not pin a vetted release or provide checksums.
Credentials
The skill requests no environment variables or local credentials and relies on browser-based Membrane authentication (no API keys required). However, network traffic and API requests to Appfire are proxied through Membrane's service (getmembrane.com), meaning third-party servers will see request payloads and could receive sensitive data — this is expected for a proxy-based integration but is a privacy/third-party exposure you should consider.
Persistence & Privilege
Skill does not request persistent/always-on privileges, does not declare always:true, and has no install-time config that would modify other skills or system-level settings.
What to consider before installing
Before installing, confirm you trust the Membrane service and the @membranehq/cli npm package. Installing globally or running npx will download and execute code from the npm registry and may require admin rights. Prefer pinned package versions or reviewing the CLI source/release on GitHub; understand that Appfire requests and data will be proxied via membrane.com (review their privacy/security docs). Also note the registry metadata does not declare required binaries (npm/node/membrane), so ensure the runtime environment actually has npm/node or be prepared to install them.

Like a lobster shell, security has layers — review code before you run it.

latestvk9767pd2qdvzq6ddgq4wvv3v0984en4t

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments