ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Checkmarx

v1.0.2

Checkmarx integration. Manage data, records, and automate workflows. Use when the user wants to interact with Checkmarx data.

0· 71·0 current·0 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's stated purpose (interact with Checkmarx) matches the instructions, which use Membrane as a proxy to Checkmarx. However, the skill omits that it requires npm/node (for the global @membranehq/cli) and a Membrane account in the registry metadata — a minor incoherence in stated requirements.
!
Instruction Scope
All runtime instructions direct the agent to use the Membrane CLI and Membrane's proxy to send requests to Checkmarx. That means Checkmarx API calls (and any request bodies) will be routed via Membrane's servers — the SKILL.md explicitly promises transparent auth and credential handling. Users should be aware that this forwards potentially sensitive data (scan payloads, source identifiers, query results) to a third-party service rather than making direct API calls to Checkmarx.
Install Mechanism
There is no install spec in the registry, but the SKILL.md instructs a global npm install (@membranehq/cli). Installing a global npm package executes code from the public npm registry and writes to disk; this is expected for a CLI integration but should be considered a moderate risk and the SKILL metadata should have declared npm/node as required.
Credentials
The skill declares no required environment variables or credentials (consistent with Membrane handling auth). That is proportionate, but it also means Checkmarx credentials are managed by Membrane server-side — verify that handing credentials/data to Membrane aligns with your security policies.
Persistence & Privilege
The skill does not request persistent privileges (always: false), does not modify other skills, and does not declare system-wide config changes. Autonomous invocation is allowed (platform default) but not itself a new risk here.
What to consider before installing
Before installing or using this skill: (1) Understand that it routes Checkmarx requests and payloads through Membrane's service (getmembrane.com) — review Membrane's privacy, security, and data retention policies and confirm you trust the operator. (2) The SKILL.md requires installing a global npm package (@membranehq/cli) and a Membrane account; the registry metadata did not declare npm/node or the account dependency — ensure you have a secure environment for global npm installs. (3) Avoid sending highly sensitive source code or secrets until you've validated Membrane's trustworthiness and your organization's policy for third-party proxies. (4) If you need more assurance, ask the publisher for a signed package or source link for the exact @membranehq/cli version to verify integrity, and confirm the integration's data flows with your security team.

Like a lobster shell, security has layers — review code before you run it.

latestvk974hbpzyzth4gfffzwzewn6r1843gs8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments