ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Docupilot

v1.0.2

Docupilot integration. Manage Documents, Users, Workspaces. Use when the user wants to interact with Docupilot data.

0· 187·0 current·0 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (Docupilot integration) align with the instructions: all actions are about listing/creating/updating templates, folders, connections, and proxying Docupilot API calls via Membrane. Nothing requested is unrelated to the stated purpose.
Instruction Scope
SKILL.md only instructs installing and using the Membrane CLI, performing connector discovery, running pre-built actions, and proxying requests. It does not ask the agent to read local files, export unrelated environment variables, or exfiltrate data to unexpected endpoints.
Install Mechanism
No install spec in the registry; instructions recommend running `npm install -g @membranehq/cli`. This is a reasonable, common approach but installing global npm packages executes code from the npm registry — users should ensure they trust the package/publisher and be aware of elevated permissions needed for global installs.
Credentials
The skill declares no required env vars or credentials and explicitly says Membrane manages auth. That matches the instructions (browser-based login/connector flows). There are no unrelated credential requests.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request permanent presence or attempt to modify other skills/config. Autonomous invocation is allowed by platform default but not combined with other red flags here.
Assessment
This is an instruction-only skill that uses the Membrane CLI to access Docupilot; it appears internally consistent. Before installing, verify you trust the Membrane project/publisher (check https://getmembrane.com and the @membranehq npm package), because `npm install -g` executes code from the registry and may require elevated permissions. Understand that linking your Docupilot account happens via the Membrane connector flow (browser OAuth/login), so review Membrane’s privacy/security docs if you are concerned about centralizing credentials. If you prefer lower risk, run the CLI in a sandboxed environment or on a machine/account dedicated to integrations.

Like a lobster shell, security has layers — review code before you run it.

latestvk973w173js55ge9j9afcj3f4hd842vgd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments