ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Double

v1.0.0

Double (formerly Keeper) integration. Manage data, records, and automate workflows. Use when the user wants to interact with Double (formerly Keeper) data.

0· 50·0 current·0 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description claim a Double (formerly Keeper) integration and the SKILL.md exclusively documents using the Membrane CLI to discover connectors, create connections, run actions, and proxy API requests. The declared lack of required env vars, binaries, or config paths matches the instruction-only approach. The npm-based CLI install is reasonable for a CLI-driven integration.
Instruction Scope
Instructions are narrowly scoped to installing/running the @membranehq/cli, performing browser-based auth (membrane login), creating/using connections and running actions or proxied requests via the CLI. The instructions do not tell the agent to read unrelated files, ask for unrelated credentials, or exfiltrate data to third-party endpoints outside of Membrane/Double.
Install Mechanism
There is no install spec in the registry (the skill is instruction-only). The SKILL.md tells the user to run `npm install -g @membranehq/cli`. Installing a global npm package is a common pattern but carries moderate trust risk — you should verify the package source and review @membranehq/cli before installing on sensitive systems.
Credentials
The skill does not request environment variables, API keys, or config paths. The README explicitly recommends letting Membrane handle credentials and not asking users for API keys, which is proportionate for a connector-based integration.
Persistence & Privilege
The skill is not force-included (always: false) and does not request persistent system-wide changes. The default platform ability for the agent to invoke skills autonomously remains in effect, but this skill does not additionally request elevated persistence or unique privileges.
Assessment
This skill is an instructions-only integration that uses the Membrane CLI to manage Double connections and actions. Before installing or running commands: (1) verify the @membranehq/cli package and its homepage (getmembrane.com) are trustworthy and come from the expected vendor; (2) be aware you'll be asked to complete browser-based authentication (or copy codes in headless environments), which grants Membrane access to the target service — review Membrane's privacy/security docs; (3) understand the skill will run shell commands you invoke (or the agent may invoke them autonomously when permitted), so run it only in environments where installing a global npm package and running CLI commands is acceptable; (4) note a minor branding inconsistency in the README ("Double (formerly Keeper)") — confirm you are integrating with the correct service. If you need higher assurance, ask the publisher for a signed package or install the CLI in an isolated environment first.

Like a lobster shell, security has layers — review code before you run it.

latestvk9709c5nbaf5bhzs5292g6a4w584c574

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments