Crowddev
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: crowddev Version: 1.0.2 The crowddev skill provides instructions for an AI agent to manage community data via the Membrane CLI. It includes steps for installing the '@membranehq/cli' npm package, authenticating, and executing actions or proxy requests to the Crowd.dev API. The instructions in SKILL.md are well-documented, transparent, and align with the stated purpose of community management without any signs of malicious intent, data exfiltration, or prompt injection.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill could modify or delete important Crowd.dev business/community records, or send broad authenticated API requests, if a task is ambiguous or the wrong action/path is chosen.
The skill exposes destructive Crowd.dev operations and a raw authenticated proxy that can send write or delete requests. The provided visible instructions do not show explicit confirmation, rollback, endpoint limits, or containment for those high-impact actions.
| Delete Organizations | delete-organizations | Delete one or more organizations by IDs | ... | Delete Members | delete-members | Delete one or more members by IDs | ... membrane request CONNECTION_ID /path/to/endpoint ... HTTP method (GET, POST, PUT, PATCH, DELETE)
Require explicit user confirmation for every create, update, delete, or non-GET proxy request; prefer predefined Membrane actions; show the exact records and API endpoint before execution.
The connected account's permissions determine what the agent can read or change in Crowd.dev.
The skill relies on delegated Membrane/Crowd.dev authentication and automatic credential refresh. This is expected for the integration, but it gives the CLI authenticated access to the connected account.
membrane login --tenant ... Membrane handles authentication and credentials refresh automatically ... injects the correct authentication headers
Use the least-privileged Crowd.dev/Membrane connection available and disconnect or revoke access when it is no longer needed.
Installing a global CLI changes the local environment and trusts the npm package and its dependencies.
The skill asks for a global npm CLI installation. This is central to the stated Membrane integration, but it is an external unpinned package install documented outside the registry install spec.
Install the Membrane CLI so you can run `membrane` from the terminal: npm install -g @membranehq/cli
Verify the package publisher/source before installation, consider pinning a version, and install it in a controlled environment if possible.