Cobalt
v1.0.2Cobalt integration. Manage data, records, and automate workflows. Use when the user wants to interact with Cobalt data.
⭐ 0· 114·0 current·0 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description (Cobalt integration) aligns with the instructions: the SKILL.md explains how to locate a Cobalt connector via Membrane and run actions or proxied API requests. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope
Instructions direct the agent/operator to install and use the Membrane CLI, run browser-based login, create connections, list actions, run actions, and proxy arbitrary requests to the Cobalt API. These steps are consistent with integrating a third-party SaaS via a connector, but they permit broad proxied API access (i.e., arbitrary requests through Membrane) which should be expected but reviewed by the user.
Install Mechanism
The registered skill is instruction-only (no install spec) but instructs the user to run `npm install -g @membranehq/cli`. Installing a global npm package is a common pattern but pulls code from the public npm registry — a moderate-risk operation that requires trusting the package and its publisher.
Credentials
The skill does not declare or require environment variables or secrets; that is coherent because Membrane is described as handling authentication server-side. No disproportionate credential access is requested in SKILL.md.
Persistence & Privilege
The skill does not request always:true or other elevated persistence. It is user-invocable and does not modify other skills or system-wide config according to the provided files.
Assessment
This skill is coherent: it uses the Membrane CLI to access a Cobalt connector and intentionally avoids asking for API keys. Before installing, verify you trust Membrane/@membranehq and the npm package (review the package page and repository), because `npm install -g` runs third-party code on your system. Confirm the official Cobalt documentation URL (the SKILL.md references an odd cobalt.foo link) and that the connector permissions are scoped minimally. When using the proxy capability, be mindful that it can issue arbitrary requests to the Cobalt API — limit the account's privileges and monitor activity if possible.Like a lobster shell, security has layers — review code before you run it.
latestvk97egdt9wj0a2y2mg0qckvj40s842rbx
License
MIT-0
Free to use, modify, and redistribute. No attribution required.