ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Celigo

v1.0.0

Celigo integration. Manage data, records, and automate workflows. Use when the user wants to interact with Celigo data.

0· 51·0 current·0 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill declares Celigo integration but uses Membrane as the intermediary—this is coherent. However the registry metadata does not declare that Node/npm or the ability to install a global npm package (@membranehq/cli) is required; the SKILL.md instructs users to perform a global npm install and to run the membrane CLI. This is a minor mismatch between declared requirements and the runtime instructions.
Instruction Scope
SKILL.md confines runtime actions to installing/using the Membrane CLI, performing browser-based login, creating connections, listing actions, running actions, and proxying requests to Celigo. It does not instruct reading arbitrary files, scanning the host, or exfiltrating environment variables. It does assume network access and a Membrane account.
Install Mechanism
There is no automated install spec in the registry (lowest-risk), but the instructions tell the user to run `npm install -g @membranehq/cli` (a public npm package). Using a public scoped npm package is expected for this workflow, but global npm installs require privilege and trust—consider using npx/local installs to reduce risk.
Credentials
The skill declares no required environment variables or credentials. The SKILL.md explicitly advises against asking users for API keys and states Membrane manages auth server-side. This is proportionate, but it means Membrane will hold and use the Celigo credentials, so trusting Membrane's service and privacy practices is necessary.
Persistence & Privilege
always:false and there is no install-time modification of other skills or system-wide agent settings. The skill can be invoked autonomously (default), which is normal for skills and not by itself a concern.
Assessment
This skill is internally consistent: it uses Membrane as a proxy to Celigo and does not request unrelated secrets. Before installing, confirm you trust the @membranehq npm package and getmembrane.com (review their GitHub, org, and package popularity). Note SKILL.md assumes Node/npm and suggests a global npm install—consider using npx or a local install to avoid installing global binaries. Understand that Membrane will manage Celigo credentials server-side (so your Celigo data and tokens will be handled by Membrane); review their privacy/security docs and use least-privilege test accounts if you want to trial the integration first.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bhdzantynvsm0a9e4wdseen849p9a

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments