ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Cats

v1.0.2

CATS integration. Manage data, records, and automate workflows. Use when the user wants to interact with CATS data.

0· 77·0 current·0 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md describes a CATS integration implemented via the Membrane CLI, which is consistent with the stated purpose. However the document includes an 'Official docs' link to developers.thecatapi.com (The Cat API) which appears unrelated to Membrane and creates ambiguity about which service 'CATS' actually refers to.
Instruction Scope
Runtime instructions are limited to installing/using the Membrane CLI, logging in interactively, creating connections, running actions, and proxying requests. The instructions do not ask the agent to read local files or unrelated environment variables, nor to exfiltrate credentials — they explicitly advise using Membrane for auth.
Install Mechanism
This is an instruction-only skill (no install spec). It tells users to run 'npm install -g @membranehq/cli'. That's a standard global npm step but does write binaries to the system PATH; the registry won't auto-install it. Users should verify the @membranehq/cli package and trust the publisher before running a global install.
Credentials
No environment variables, credentials or config paths are requested by the skill. Authentication is delegated to Membrane's login flow (browser-based), which is proportionate for a connector-based integration.
Persistence & Privilege
The skill does not request always:true, does not declare persistent system-level changes, and is user-invocable. It therefore does not demand elevated or permanent privileges.
What to consider before installing
This skill is an instruction-only integration that expects you to install and use the Membrane CLI and to authenticate via a browser-based Membrane login. Before proceeding: (1) verify that 'CATS' means the service you expect — the SKILL.md's 'Official docs' link points to The Cat API which may be unrelated; (2) confirm you trust the @membranehq/cli package and the Membrane vendor (global npm installs add binaries to your system); (3) understand that requests will be proxied through Membrane, so any data sent to the CATS API will transit Membrane's servers — review their privacy/security policies if transmitting sensitive data; and (4) if anything in the skill's purpose or links looks off (mismatched docs or untrusted repository/homepage), investigate the publisher or choose not to install. If you want higher assurance, ask the skill author for clarification of what 'CATS' refers to and for a link to the exact connector documentation in Membrane.

Like a lobster shell, security has layers — review code before you run it.

latestvk9776pzx9fv0x8f6e3h4qph835843mhc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments