ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Elastic Path

v1.0.0

Elastic Path integration. Manage data, records, and automate workflows. Use when the user wants to interact with Elastic Path data.

0· 50·0 current·0 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (Elastic Path integration) match the instructions: all actions are performed via the Membrane CLI and are about connecting to and proxying requests to Elastic Path. No unrelated credentials or capabilities are requested.
Instruction Scope
SKILL.md limits runtime behavior to installing/using @membranehq/cli, logging in (OAuth flow), creating/listing connections, running actions, and proxying requests to Elastic Path. It does not instruct reading arbitrary local files or environment variables, nor does it direct data to unexpected endpoints beyond Membrane/Elastic Path.
Install Mechanism
There is no automatic install spec in the registry; the doc tells the user to run `npm install -g @membranehq/cli` (or npx). This is a standard, user-run step but installing a third-party global npm package executes upstream code — users should verify the @membranehq/cli package and publisher before installing.
Credentials
The skill declares no required env vars, no config paths, and no primary credential. It relies on Membrane to manage authentication, which is consistent with the guidance in the doc. No disproportionate or unrelated secrets are requested.
Persistence & Privilege
The skill is not always-on, is user-invocable, and does not request modification of other skills or system-wide settings. Normal autonomous invocation is allowed by platform default but is not combined with other concerning privileges here.
Assessment
This skill is instruction-only and appears coherent, but before installing or using it: 1) verify the trustworthiness of the @membranehq/cli npm package and its publisher (review the package on npm/GitHub and check recent activity), because installing global npm packages runs upstream code; 2) understand that Membrane will proxy requests and manage credentials server-side — review Membrane's privacy/security policy to ensure you are comfortable with your Elastic Path data and tokens being handled by that service; 3) prefer using npx or a scoped/local install in isolated environments if you prefer not to install a global package; and 4) if you need higher assurance, test in a non-production environment first.

Like a lobster shell, security has layers — review code before you run it.

latestvk970yy7tpb5ae47e83pxke4qcs84fq7h

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments