Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Endorsal
v1.0.0Endorsal integration. Manage Persons, Organizations, Deals, Leads, Projects, Activities and more. Use when the user wants to interact with Endorsal data.
⭐ 0· 46·0 current·0 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name and description (Endorsal integration) match the instructions: it uses Membrane to interact with Endorsal APIs. However, the SKILL.md requires a Membrane account and explains that credentials are stored locally (~/.membrane/credentials.json), but the skill metadata declared no required config paths or primary credential — a documentation/manifest mismatch that should have been declared.
Instruction Scope
The instructions tell the agent to run npx @membranehq/cli@latest commands and to read/use credentials saved at ~/.membrane/credentials.json. They also document a Membrane 'proxy' capability that accepts full URLs. The SKILL.md thus instructs interaction with a local credential file and performing proxied requests (which could cause authenticated requests to arbitrary endpoints). The manifest did not declare access to that config path or explain the proxy implications.
Install Mechanism
There is no formal install spec, but the runtime instructions require running npx @membranehq/cli@latest which downloads and executes code from the npm registry at runtime (unfixed 'latest' tag). This is effectively remote code execution each time and is higher risk than using a pinned release or a preinstalled, audited CLI.
Credentials
The registry lists no required environment variables or credentials, but the SKILL.md explicitly requires a Membrane account and describes credentials written to ~/.membrane/credentials.json. That config path and secret storage were not declared. Also, the ability to proxy arbitrary full URLs via Membrane could result in those stored credentials being sent to unexpected endpoints if misused.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It does rely on the Membrane CLI storing credentials in the user's home directory; that side-effect is normal for CLI-based auth but should have been declared in the manifest. The skill does not appear to modify other skills or system-wide settings.
What to consider before installing
This skill appears to do what it says (talk to Endorsal via Membrane), but there are a few things to weigh before installing:
- The SKILL.md depends on the Membrane CLI and instructs running npx @membranehq/cli@latest. npx will fetch and run code from npm at runtime; consider installing a vetted/pinned version of the CLI yourself instead of relying on 'npx ...@latest'.
- The documentation says credentials are stored at ~/.membrane/credentials.json, but the skill manifest does not declare that config path. Expect the Membrane CLI to create/read that file; check its contents and filesystem permissions.
- The Membrane proxy supports passing a full URL; if misused, that could cause authenticated requests (with Membrane-managed tokens) to be sent to unexpected endpoints. Avoid using free-form full-URL proxying unless you trust the target and understand what headers and tokens will be attached.
- If you decide to use this skill: verify the authenticity of @membranehq/cli on npm, prefer pinning to a specific version, review the credential file after login, and do not paste tokens or secrets into chat. If you need stronger assurance, ask the skill author to declare the config path and to provide an install spec that pins the CLI release.
Given these mismatches and runtime risks, treat the skill as suspicious until you confirm the Membrane CLI behavior and where credentials are stored and used.Like a lobster shell, security has layers — review code before you run it.
latestvk976wstshd0swgwn671fmhaykn84e76a
License
MIT-0
Free to use, modify, and redistribute. No attribution required.