ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Deputy

v1.0.2

Deputy integration. Manage Employees, Locations, LeaveRequests, Timesheets, PayRates. Use when the user wants to interact with Deputy data.

0· 106·0 current·0 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to integrate with Deputy and the instructions consistently use the Membrane CLI to access Deputy APIs and proxy requests. Using Membrane to handle auth and API proxying is coherent with the stated purpose.
Instruction Scope
Instructions are limited to installing and using the Membrane CLI, creating connections, listing actions, running actions, and proxying requests to Deputy. They rely on browser-based OAuth flows (or a headless code flow) and do not instruct reading unrelated files or environment variables.
!
Install Mechanism
There is no install specification in the registry entry, but SKILL.md instructs users to run `npm install -g @membranehq/cli` and then use the `membrane` binary. That is a moderate-risk, registry-based install (npm) and the skill implicitly requires npm and a globally installed binary — none of which are declared in the metadata. The SKILL.md is instruction-only (no archived downloads), which reduces risk compared with arbitrary URL downloads, but the missing install declaration is an incoherence.
Credentials
The skill does not request environment variables or credentials in the registry metadata and explicitly says to let Membrane handle credentials (do not ask users for API keys). It does require a Membrane account (network access) but does not declare required binaries like npm or membrane. No unrelated secrets are requested in the instructions.
Persistence & Privilege
The skill is not marked always:true and does not request system-wide configuration changes. Autonomous invocation is allowed (default) but not combined with other concerning privileges.
What to consider before installing
This skill appears to be a straightforward Deputy integration that uses the Membrane CLI as a proxy/auth layer, but the registry metadata omits the practical requirement to install and run the Membrane CLI (and implicitly npm). Before installing or using it: 1) Verify the npm package @membranehq/cli (publisher, npm page, recent versions and popularity). 2) Confirm you are comfortable installing a global npm CLI and opening a browser OAuth flow (or performing the headless code flow). 3) Confirm the Membrane service (getmembrane.com) is trusted by your organization and review its privacy/auth handling — the CLI will hold tokens for Deputy access. 4) Because the registry entry is instruction-only and the SKILL.md is truncated near the end, ask the publisher for a full, explicit install spec and for the exact permissions/scopes the Deputy connection will request. If you need least privilege, prefer creating a Deputy API credential with restricted scopes and verify that Membrane's connection uses those restrictive scopes.

Like a lobster shell, security has layers — review code before you run it.

latestvk97188rc2fct8wn6bsgbmsgz5h84339v

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments