ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Fabrick

v1.0.0

Fabrick integration. Manage data, records, and automate workflows. Use when the user wants to interact with Fabrick data.

0· 19·0 current·0 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (Fabrick integration) match the instructions: everything is about discovering and invoking Fabrick actions via Membrane. There are no unrelated credentials, binaries, or paths requested.
Instruction Scope
SKILL.md confines itself to using the Membrane CLI, creating connections, listing actions, running actions, and proxying requests to Fabrick. It does not instruct the agent to read unrelated files, exfiltrate data, or access other system credentials. It requires network access and a Membrane account (documented).
Install Mechanism
No install spec in the registry (instruction-only), but SKILL.md tells the user to install @membranehq/cli via npm (npm install -g). This is an expected, common install method for a CLI but carries the usual risk of installing third-party npm packages; nothing in the skill asks to download from ad-hoc URLs or run obscure installers.
Credentials
The skill declares no required environment variables, config paths, or primary credentials. SKILL.md explicitly recommends letting Membrane handle credentials and not asking users for API keys — this is proportionate to the stated functionality.
Persistence & Privilege
always is false and the skill does not request persistent system-wide changes. There is no instruction to modify other skills or system-wide configs. Autonomous invocation is the platform default and is not combined with other concerning flags.
Assessment
This skill appears coherent: it instructs use of the Membrane CLI to connect to Fabrick and does not ask for unrelated credentials. Before installing/using: 1) Verify you trust the @membranehq/cli npm package and review its GitHub/npm pages; installing global npm packages modifies your system and can be risky if the package is malicious. 2) Use a separate account or sandbox environment if you want to limit blast radius while evaluating. 3) Follow the documented browser-based OAuth flow rather than pasting secrets into chat or the agent. 4) Confirm the Membrane account permissions you'll grant (which Fabrick scopes the connection will have). 5) If you need stronger assurance, inspect the Membrane CLI source or run it in an isolated environment (container/VM) before granting access to production data.

Like a lobster shell, security has layers — review code before you run it.

latestvk9799g95qr1km5vzg2rmqe7dp5848p8r

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments