ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Digitalriver

v1.0.2

DigitalRiver integration. Manage Organizations, Leads, Projects, Pipelines, Users, Goals and more. Use when the user wants to interact with DigitalRiver data.

0· 101·0 current·0 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (DigitalRiver integration) matches the SKILL.md: all runtime instructions are about using the Membrane CLI to discover connectors, run actions, and proxy requests to DigitalRiver. No unrelated services, env vars, or binaries are requested.
Instruction Scope
Instructions remain scoped to installing and using the Membrane CLI, logging in, creating/using a DigitalRiver connection, running actions, and proxying API requests. They do not direct the agent to read unrelated local files or environment variables. Caveat: the skill relies on Membrane to handle and store credentials and to proxy arbitrary API requests — that centralizes trust in the Membrane service.
Install Mechanism
No install spec for the skill itself; user is instructed to install @membranehq/cli via npm (npm install -g). This is a common, traceable mechanism (public npm) but global npm installs execute third-party code on the host, so it carries the usual moderate risk of running package installation scripts — however the package source appears canonical.
Credentials
The skill declares no required env vars or credentials; instead it delegates auth to Membrane. That is proportionate for a proxy-based connector. Users should note that Membrane (and its CLI) will hold DigitalRiver credentials/tokens and will have access to data proxied through it.
Persistence & Privilege
Skill is not always-enabled and contains no install script. The only persistence implication is that the Membrane CLI itself will perform local authentication flows and typically persist tokens/config in the user's environment — expected for a CLI auth workflow.
Assessment
This skill is coherent but depends on trusting Membrane and installing their CLI. Before installing: verify you're using the official @membranehq/cli package and the repository/homepage links, install in a safe environment (not directly on a sensitive production host), and review what files/config the Membrane CLI writes (tokens/config). Understand that Membrane will hold and proxy your DigitalRiver credentials and data — only grant access you are comfortable with and revoke tokens when finished. If you need higher assurance, test with a non-production DigitalRiver account or inspect the CLI source code before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk973wqycakac7030htw44bxx5s842kyy

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments