ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Bannerbear

v1.0.2

Bannerbear integration. Manage data, records, and automate workflows. Use when the user wants to interact with Bannerbear data.

0· 146·0 current·0 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description claim Bannerbear integration and the SKILL.md consistently instructs the agent to use the Membrane CLI to list/connect/run Bannerbear actions and proxy requests. Required items (network access, Membrane account, installing @membranehq/cli) are proportional to the stated purpose.
Instruction Scope
Runtime instructions are narrowly scoped: install Membrane CLI, authenticate via membrane login, create/inspect connections, list actions, run actions, or proxy requests to Bannerbear via Membrane. The instructions do not ask the agent to read unrelated files, exfiltrate local secrets, or call unexpected endpoints beyond Membrane/Bannerbear.
Install Mechanism
No install spec in the skill bundle (instruction-only). The SKILL.md asks users to run npm install -g @membranehq/cli — a standard global npm install. This is a common, reasonable step but carries normal supply-chain and privilege considerations for global npm installs.
Credentials
The skill declares no required env vars or credentials. Authentication is handled via Membrane (browser-based OAuth/connector flow), which is expected for a proxy/integration. The only proportional concern is that using the skill requires trusting Membrane to store/manage Bannerbear credentials on your behalf.
Persistence & Privilege
The skill is instruction-only, does not request always:true, and does not modify other skills or system-wide settings. It relies on a user-invoked CLI login flow; no persistent elevated privileges are requested by the skill itself.
Assessment
This skill appears consistent: it expects you to install the official Membrane CLI and to authenticate via Membrane so Membrane can proxy Bannerbear API calls. Before installing/use: (1) confirm you trust getmembrane.com/@membranehq and the @membranehq/cli npm package (check package authorship and npm page); (2) prefer installing the CLI in a non-global or isolated environment if you have strict policies (or use a container/VM); (3) understand that Membrane will hold and use your Bannerbear credentials on your behalf — review Membrane's privacy/security docs and the connector permissions when you authenticate; (4) avoid running commands in sensitive environments without approval. If you want stronger assurance, request the skill author to provide a signed source repo or to confirm the exact npm package version to install.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bvgk9vxqyzmsrmyp6etfnxx843c6n

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments