Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Crimeometer
v1.0.2CrimeoMeter integration. Manage Deals, Persons, Organizations, Leads, Projects, Activities and more. Use when the user wants to interact with CrimeoMeter data.
⭐ 0· 95·0 current·0 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md describes a CrimeoMeter integration that uses Membrane as a proxy/connector, which is coherent. However the top-line description ("Manage Deals, Persons, Organizations, Leads, Projects, Activities") appears to be copy-pasted from a CRM template and does not match the rest of the document (which describes crime data endpoints). This mismatch is sloppy and could confuse users about the skill's purpose, but it does not by itself indicate malicious behavior.
Instruction Scope
All runtime instructions are limited to installing and using the Membrane CLI, creating a connection, listing actions, running actions, and optionally proxying raw requests to the CrimeoMeter API via Membrane. The instructions do not direct the agent to read unrelated files, environment variables, or system paths.
Install Mechanism
The skill is instruction-only (no install spec), but it tells the user/agent to run `npm install -g @membranehq/cli`. Installing a global npm package is a non-trivial action and pulls in arbitrary third-party code; this is a moderate-risk operation and users should verify the package's provenance (npm author, repository, and checksums) before installing on sensitive systems.
Credentials
The skill declares no required environment variables and explicitly instructs not to request API keys from users, relying on Membrane to manage credentials. That is proportionate for a proxy-based integration. There are no hidden env requirements in the SKILL.md.
Persistence & Privilege
The skill does not request always:true, has no install-time persistence spec, and does not instruct modifying other skills or system-wide agent settings. It relies on a user-installed CLI and browser-based authentication flows.
What to consider before installing
Things to consider before installing/using this skill:
- The skill uses the Membrane CLI (`@membranehq/cli`) which you must install globally via npm. Installing global npm packages runs third-party code on your machine — verify the package on npm (author, repo: https://github.com/membranedev, published versions) before installing.
- The SKILL.md will open a browser for OAuth-style login and/or require you to paste a code for headless flows; only authenticate via the official Membrane flow and be cautious in copying one-time codes from untrusted contexts.
- The skill instructs using Membrane to proxy arbitrary requests to CrimeoMeter. This is expected for this integration, but it means Membrane will see and handle request/response data and credentials — confirm you trust Membrane (privacy/security policy, where credentials are stored, and retention rules) before routing sensitive data through it.
- The top description contains CRM-like text (Deals, Leads, Organizations) that doesn't match the rest of the doc — likely a copy-paste error. Ask the publisher for clarification if you need guarantees about the skill's exact behavior or scope.
- Because this is instruction-only (no code bundled in the skill), the main risks come from installing and running the external CLI and from authorizing connections through Membrane. If you are uncomfortable, test on an isolated environment or sandbox first, and review the Membrane CLI source and package metadata.Like a lobster shell, security has layers — review code before you run it.
latestvk972fkkraq67k21tt8h8b5656d842hwg
License
MIT-0
Free to use, modify, and redistribute. No attribution required.