Commonpaper
v1.0.0Common Paper integration. Manage data, records, and automate workflows. Use when the user wants to interact with Common Paper data.
⭐ 0· 45·0 current·0 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description (Common Paper integration) match the runtime instructions: the skill explicitly uses the Membrane CLI to access Common Paper APIs and manage records. Required resources (network, Membrane account) are stated and appropriate for this purpose.
Instruction Scope
Instructions are limited to installing/running the @membranehq/cli, logging in via browser, listing/connecting Membrane connectors, running actions, and proxying requests through Membrane. These actions are coherent with the stated purpose. Important note: proxying sends request payloads through Membrane's servers (not directly to Common Paper), so you must trust Membrane with any data you forward.
Install Mechanism
There is no platform install spec in the registry; the SKILL.md instructs the user to run `npm install -g @membranehq/cli` and uses `npx` in examples. Installing a public npm CLI is a common approach but carries the usual npm risk (installing and running third‑party code with system privileges). This is proportionate to the CLI usage but is an action the user should consciously accept.
Credentials
The skill declares no required environment variables or local credentials and explicitly warns not to ask users for API keys. Authentication is delegated to Membrane via browser login, which is consistent and proportionate. The only remaining consideration is that credentials and request data will be stored/handled server‑side by Membrane.
Persistence & Privilege
The skill is instruction-only, has no install manifest in the registry, and does not request persistent/platform privileges (always:false). It does not attempt to modify other skills or system config. Autonomous invocation is allowed by default but is not combined with other red flags.
Assessment
This skill appears to do what it says: it uses the Membrane CLI to talk to Common Paper. Before installing: 1) Verify the @membranehq/cli package and the Membrane service (getmembrane.com / repository) are official and reputable (check npm package owner, GitHub repo, and documentation). 2) Understand that requests and auth are proxied through Membrane — any data you send will be handled/stored by their service, so review their privacy/security policies. 3) Installing the CLI with `npm install -g` or running `npx` executes third‑party code on your machine; prefer installing in a controlled environment or using non‑global installs if you have concerns. 4) Do not provide account secrets into chat; perform the browser login flow as instructed and confirm the connection IDs returned before running actions. If you need tighter data control, consider integrating directly with Common Paper (using their API and scoped credentials) rather than proxying through a third party.Like a lobster shell, security has layers — review code before you run it.
latestvk97bzjy1r5q2r23xvkk01f3tms84chw9
License
MIT-0
Free to use, modify, and redistribute. No attribution required.