Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Cloudflare Api Shield
v1.0.0Cloudflare API Shield integration. Manage data, records, and automate workflows. Use when the user wants to interact with Cloudflare API Shield data.
⭐ 0· 14·0 current·0 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name and description align with using Membrane to manage Cloudflare API Shield data. However the skill metadata lists no required binaries or credentials while the SKILL.md clearly requires npm (for a global install) and the Membrane CLI and also requires a Membrane account — this mismatch between declared requirements and runtime instructions is an inconsistency.
Instruction Scope
Runtime instructions tell the user/agent to install and use the @membranehq/cli, run interactive login flows, create connections, and use Membrane's proxy to forward requests to Cloudflare. That is coherent for a proxy-based integration, but it means API requests and Cloudflare credentials/tokens will be handled by Membrane's servers — the skill directs data to a third party rather than directly to Cloudflare. The SKILL.md does not instruct reading local secrets or unrelated files, but it does instruct making system-level changes (global npm install) and transmitting request bodies to a third-party service; users must be comfortable with that data flow.
Install Mechanism
There is no formal install spec in the registry metadata, yet the documentation instructs running `npm install -g @membranehq/cli` (or using npx). Installing a global npm package downloads and executes third-party code (moderate risk). The instruction is to use the public npm package; the registry metadata should have declared this requirement but did not.
Credentials
The skill declares no required environment variables or primary credential, which matches SKILL.md's guidance to let Membrane manage credentials. However that design shifts credential custody to Membrane — tokens and API calls will be routed through their service. No unrelated credentials are requested, but you must trust Membrane with your Cloudflare access and request payloads.
Persistence & Privilege
The skill is instruction-only, does not request always:true, and does not modify other skills or global agent config. It does not ask for persistent local credentials or set elevated agent privileges.
What to consider before installing
Before installing: (1) Understand that this skill relies on the Membrane service — when you connect, Membrane will handle and store authentication tokens and will proxy API requests, so Membrane will see request payloads and have access to the Cloudflare connection. (2) Installing the CLI uses `npm install -g` (or npx) — installing a global npm package runs third-party code on your system; review the package (package.json, maintainer, npm page, and GitHub repo) and consider installing in an isolated environment or container. (3) The registry metadata did not declare required binaries (npm/membrane CLI) — expect to have Node/npm and network access. (4) Verify the Membrane privacy/security docs and confirm you can revoke or audit credentials created via the connector. (5) If you need stronger control over credentials, prefer directly created Cloudflare API tokens scoped to least privilege rather than broad connector access. If these issues are acceptable and you trust Membrane, the skill's instructions appear coherent for its stated purpose; otherwise treat it as untrusted and avoid installing the CLI or creating connectors.Like a lobster shell, security has layers — review code before you run it.
latestvk97b0ver7n960p064ggn1kbnfn84c505
License
MIT-0
Free to use, modify, and redistribute. No attribution required.