Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Customgpt
v1.0.2CustomGPT integration. Manage Projects, Users, Roles, Goals, Filters. Use when the user wants to interact with CustomGPT data.
⭐ 0· 110·0 current·0 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name/description (CustomGPT integration) aligns with the instructions, which use the Membrane CLI to manage agents, sources, conversations, and to proxy CustomGPT API calls. However, the registry metadata declares no required binaries or credentials while the SKILL.md explicitly requires network access and a Membrane account and instructs installing the @membranehq/cli — a mismatch between declared requirements and runtime instructions.
Instruction Scope
Runtime instructions stay within the stated integration purpose (listing/creating/updating/deleting agents, sources, conversations). They also document a 'proxy' feature that lets the user send arbitrary HTTP requests to the CustomGPT API via Membrane; this is expected for a generic integration but grants broad ability to call arbitrary endpoints and pass arbitrary data through your authenticated Membrane session.
Install Mechanism
There is no packaged install spec in the registry, but SKILL.md tells the user to run an external npm global install (npm install -g @membranehq/cli). Installing a global npm package is a moderate-risk action (it runs code from the public registry on your machine). The skill does not declare this install step in its metadata, so users might not expect it.
Credentials
The skill does not request environment variables or list a primary credential, but it requires a Membrane account and relies on the CLI to manage authentication and tokens. That credential request is proportionate to the task, but the lack of declared credentials or config expectations in the registry metadata is an inconsistency to be aware of.
Persistence & Privilege
The skill is instruction-only, has no install manifest in the registry, and is not 'always' enabled. It does not request elevated or persistent platform privileges via the registry metadata.
What to consider before installing
Before installing or using this skill: (1) Understand you'll be asked to install and use the @membranehq/cli (global npm package) and to authenticate a Membrane account — verify you trust @membranehq/getmembrane and the package on npm. (2) The skill can proxy arbitrary CustomGPT API calls through your authenticated Membrane session — only use it with accounts you control and avoid running it on shared or sensitive environments. (3) Because the registry metadata doesn't declare the CLI requirement or credential access, double-check the upstream repository and package signatures (or inspect the CLI code) if you want higher assurance. (4) If you don't want to install a global npm package, do not run these instructions; consider asking the skill author to provide an explicit install manifest and a minimal set of required permissions.Like a lobster shell, security has layers — review code before you run it.
latestvk975vmev2wjkktgye3tf2zbdmx843sb4
License
MIT-0
Free to use, modify, and redistribute. No attribution required.