ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Azuqua

v1.0.0

Azuqua integration. Manage data, records, and automate workflows. Use when the user wants to interact with Azuqua data.

0· 53·0 current·0 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill is named 'Azuqua' and claims to integrate with Azuqua, but the SKILL.md and metadata consistently point to Membrane (getmembrane.com, @membranehq CLI) and even references 'Official docs: https://help.workato.com/' which is unrelated. This mismatch suggests sloppy copy-paste or mislabeling; it's unclear whether the skill specifically targets Azuqua or is a generic Membrane integration template.
Instruction Scope
Instructions are limited to installing and using the Membrane CLI, creating connections, listing actions, running actions, and using a proxy request command. They do not ask the agent to read local files or environment variables. However, the 'membrane request' proxy lets the user (or agent) issue arbitrary proxied API calls via the connection, which is expected for an integration skill but increases power and potential for misuse if a connection is compromised.
Install Mechanism
There is no platform install spec but SKILL.md instructs installing @membranehq/cli globally via npm (npm install -g). Installing a global npm package is a moderate-risk action because the package will run locally; this is proportionate to a CLI-based skill but users should verify the package origin and integrity before running a global install.
Credentials
The skill declares no required environment variables or credentials and explicitly instructs not to ask users for API keys, instead using Membrane's connection flow. That is proportionate to the stated integration purpose. It does require a Membrane account (network access) which is reasonable for this workflow.
Persistence & Privilege
The skill does not request always:true, does not contain install-time hooks in the registry, and is instruction-only. It does not request system-wide config changes or extra privileges in the provided metadata.
What to consider before installing
This skill appears to be an instruction/template for using the Membrane CLI to access integrations, but there are red flags: the name (Azuqua) and the 'official docs' URL (help.workato.com) are inconsistent with Membrane references. Before installing or running the CLI: (1) verify the intent — confirm whether you actually need an Azuqua connector and whether Membrane provides it; (2) inspect the @membranehq/cli package on npm and the Membrane project repository to ensure you trust the package source; (3) avoid installing global npm packages from untrusted accounts or without review; (4) be aware that 'membrane request' can issue arbitrary proxied API calls through whatever connection is created — only create connections to services you trust; and (5) if you need higher assurance, ask the publisher to clarify the Azuqua/Workato/Membrane naming mismatch or provide a direct link to documentation for the specific connector.

Like a lobster shell, security has layers — review code before you run it.

latestvk979w7zw4qbtf33cgdc8428dan84b6dj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments