ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Flipando

v1.0.2

Flipando integration. Manage Deals, Persons, Organizations, Leads, Projects, Activities and more. Use when the user wants to interact with Flipando data.

0· 143·0 current·0 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The registry-level description mentions CRM-like objects (Deals, Persons, Organizations, Leads, Projects, Activities) while the SKILL.md describes Flipando as a platform for interactive experiences (quizzes, games, polls). The skill then instructs use of Membrane to interact with 'Flipando' apps. This mismatch (CRM vs interactive-app) is unexplained and could indicate the metadata was copied/templated incorrectly or the skill targets a different service than advertised.
Instruction Scope
The SKILL.md confines runtime behavior to installing/using the Membrane CLI and running Membrane commands (login, connect, action run, request). It does not instruct reading local files, environment variables, or sending data to arbitrary third-party endpoints beyond Membrane/Flipando. This is appropriately scoped, but it depends entirely on a third-party CLI and network auth flows.
Install Mechanism
There is no platform install spec; the skill is instruction-only and tells the user to run `npm install -g @membranehq/cli`. Asking users to install a global npm CLI is common but carries risk (npm packages run arbitrary code at install). The skill does not download arbitrary files itself and has no extract steps.
Credentials
The skill declares no required environment variables and relies on Membrane's browser-based login/connection model, which is proportionate to the described CLI-based workflow. However, the initial metadata implying CRM-style data (which often requires separate API keys) conflicts with this; the lack of declared credentials is therefore notable and unexplained.
Persistence & Privilege
No elevated privileges requested: always is false, no required config paths, no installs performed by the platform. The skill is user-invocable and does not demand persistent presence or automatic inclusion.
What to consider before installing
Before installing or using this skill: (1) resolve the mismatch — ask the publisher which 'Flipando' this targets (interactive apps vs CRM) and confirm the intended objects/actions; (2) review the @membranehq/cli package on npm (maintainer, download counts, source repo) before running a global npm install; (3) confirm you are comfortable letting Membrane manage authentication (it performs browser-based login and stores credentials server-side); (4) do not share unrelated credentials — the skill's instructions explicitly avoid asking for API keys; (5) if in doubt, test in a sandbox environment and inspect Membrane/GitHub repositories linked from the homepage for signs of legitimacy before granting access.

Like a lobster shell, security has layers — review code before you run it.

latestvk972m58np79sfvcby278wzsta5842xkk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments