Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Coassemble
v1.0.2Coassemble integration. Manage data, records, and automate workflows. Use when the user wants to interact with Coassemble data.
⭐ 0· 166·0 current·0 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description match the instructions: the skill uses the Membrane CLI to access Coassemble actions and proxy API calls. However the registry metadata declared no required binaries or credentials while SKILL.md explicitly requires installing and running the @membranehq/cli and having a Membrane account — a mismatch between metadata and runtime requirements.
Instruction Scope
The SKILL.md tells the agent to install and run the Membrane CLI, perform browser-based login, create connections, run actions, and optionally proxy arbitrary API requests through Membrane. Those actions are within the stated integration purpose, but the use of Membrane's proxy means API requests and Coassemble data will flow through a third party (getmembrane.com), which may be unexpected to users.
Install Mechanism
This is an instruction-only skill (no install spec), so nothing is written by the skill itself. The README instructs users to run `npm install -g @membranehq/cli` — installing a global npm package from the public registry. That is a common install path but is not vetted by the skill metadata; the package and install are a moderate-risk action you should verify before running.
Credentials
The skill declares no environment variables and does not request local credentials, instead relying on Membrane account login and the CLI to manage credentials. This is proportionate to the task, but it means credentials and API traffic will be managed/stored by the Membrane service/CLI rather than kept purely local — verify their storage/retention and trustworthiness.
Persistence & Privilege
The skill is not always-enabled and is user-invocable. It does not request special platform privileges or claim to modify other skills. There is no built-in persistence or elevated platform privilege requested in the manifest.
What to consider before installing
This skill appears to do what it says (manage Coassemble via Membrane), but note three things before you proceed:
1) Metadata vs instructions: the registry says 'no required binaries' but the SKILL.md requires installing and using the @membranehq/cli and a Membrane account. Expect to install software and perform interactive login.
2) Third‑party routing: using the Membrane CLI/proxy will cause your Coassemble API requests and authentication to pass through Membrane (getmembrane.com). If your data or credentials are sensitive, review Membrane's privacy/security docs and confirm how tokens are stored, who can access traffic, and retention policies.
3) Verify the CLI package: installing a global npm package has system impact. Inspect the npm package, its maintainer, and the linked repository (https://github.com/membranedev/application-skills) before running `npm install -g @membranehq/cli`. Consider installing in an isolated environment (container/VM) or using non-global install options if you want to limit system-wide effects.
If you need higher assurance, ask the publisher for an explicit install spec and a signed release, or prefer a direct Coassemble integration that doesn't route through a third party.Like a lobster shell, security has layers — review code before you run it.
latestvk9788j8q72c8vhxk5xm428rpx5842bjw
License
MIT-0
Free to use, modify, and redistribute. No attribution required.