Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Artilleryio
v1.0.2Artillery.io integration. Manage data, records, and automate workflows. Use when the user wants to interact with Artillery.io data.
⭐ 0· 77·0 current·0 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md clearly requires the @membranehq/cli (installed via npm or invoked via npx) and a Membrane account to access Artillery.io. The registry metadata, however, lists no required binaries or credentials. That omission is inconsistent: a working integration does require the Membrane CLI and network access.
Instruction Scope
Instructions are focused on using Membrane to discover connectors/actions, run actions, and proxy raw requests to the Artillery.io API. This is consistent with the stated purpose. However, 'membrane request CONNECTION_ID /path' lets the user (or an agent following these instructions) proxy arbitrary API calls through Membrane — which could be used to send or retrieve any data accessible via the connected account. The docs also instruct interactive login flows (browser/code) — expected but requires user attention in headless contexts.
Install Mechanism
There is no install spec in the registry (instruction-only), but SKILL.md asks the user to run 'npm install -g @membranehq/cli' or use 'npx ...@latest'. Relying on a global npm install or npx at runtime is common but carries the usual npm supply-chain risks; the skill does not declare this requirement in metadata, which is an inconsistency to correct.
Credentials
The skill does not request environment variables or credentials in metadata. SKILL.md explicitly advises letting Membrane handle credentials server-side and not to ask users for API keys, which is proportionate to its purpose. Note: using Membrane requires a Membrane account; the account's permissions determine what the skill can access via the proxy.
Persistence & Privilege
The skill does not request always: true and does not modify agent/system configs. It is user-invocable and allows autonomous invocation by default (platform default); no additional persistence or elevated privilege is requested.
What to consider before installing
This skill appears to be a thin wrapper around the Membrane CLI to access Artillery.io, which is coherent — but check these before installing:
- The SKILL.md requires the @membranehq/cli (npm) and a Membrane account, yet the registry metadata lists no required binaries; expect to install or run the Membrane CLI (npx or global npm). The metadata should be updated to reflect that.
- Verify you trust the Membrane project and npm package: inspect the package on npm, the publisher, and the repository (SKILL.md points to https://github.com/membranedev/application-skills and homepage https://getmembrane.com).
- Be cautious when using 'membrane request' or running arbitrary actions: these commands proxy requests through your Membrane connection and can send/receive any data available to that connected account. Do not send sensitive secrets or production credentials through the proxy unless you understand the access scope.
- Prefer running the CLI commands manually first to confirm behavior (login flow, connection listing, action outputs) before allowing an automated agent to run them autonomously.
- If you need stricter control, require the skill author to declare the Membrane CLI as a required binary in metadata and provide an install spec or signed release, or restrict the agent's ability to invoke the skill until you have validated the package and account permissions.Like a lobster shell, security has layers — review code before you run it.
latestvk973s2r61c81adxf96gqzde2n5843sem
License
MIT-0
Free to use, modify, and redistribute. No attribution required.