ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Burp Suite

v1.0.0

Burp Suite integration. Manage data, records, and automate workflows. Use when the user wants to interact with Burp Suite data.

0· 21·0 current·0 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill claims to integrate with Burp Suite and its instructions consistently use the Membrane CLI to create connections and run actions against Burp. Minor mismatch: the registry metadata declares no required binaries or tools, but the SKILL.md instructs users to install the @membranehq/cli via npm (implying a need for node/npm). This is plausible but the missing declared dependency is a small inconsistency.
Instruction Scope
All runtime instructions are limited to installing and using the Membrane CLI, creating a connection, listing actions, running actions, and proxying requests through Membrane. The instructions do not ask the agent to read arbitrary local files, environment variables, or unrelated system config.
Install Mechanism
No formal install spec in the registry, but SKILL.md recommends 'npm install -g @membranehq/cli' (public npm). Installing a global npm package is a common pattern but carries moderate risk if you don't trust the package publisher; the instruction does not provide package signing or checksum verification.
Credentials
The skill declares no required environment variables or credentials and instead relies on Membrane's browser-based auth and server-side credential management. This is proportionate to a connector-style integration.
Persistence & Privilege
The skill is instruction-only, does not request 'always: true', and does not attempt to write persistent system-wide configuration or modify other skills. It requires interactive user login via Membrane, so it does not gain unattended privileged presence on its own.
Assessment
This skill uses the Membrane service and its CLI to talk to Burp Suite, so installing it routes Burp-related requests through membrane.com and requires a Membrane account. Before installing: (1) Verify you trust @membranehq on the npm registry and review its npm page and GitHub repo; (2) Confirm you’re comfortable with Burp data being proxied via a third-party service (privacy/security implications); (3) Ensure you have node/npm available (the SKILL.md expects a global npm install even though the registry metadata did not list this dependency); (4) In sensitive environments, review Membrane’s privacy and data handling docs and restrict the connector’s permissions where possible. If you cannot trust Membrane or the npm package publisher, do not install or run the CLI.

Like a lobster shell, security has layers — review code before you run it.

latestvk973v7fxw6ccm9syhkh2zxww3x848jqp

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments