ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Flourish

v1.0.0

Flourish integration. Manage data, records, and automate workflows. Use when the user wants to interact with Flourish data.

0· 42·0 current·0 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill claims to integrate with Flourish and all runtime guidance centers on using the Membrane CLI to discover connectors, create connections, run actions, and proxy Flourish API requests. No unrelated credentials, files, or services are requested.
Instruction Scope
SKILL.md instructs running membrane CLI commands, logging in via browser, listing actions, and using Membrane's request proxy — all within the domain of integrating with Flourish. It does not ask the agent to read unrelated system files, environment variables, or transmit data to unexpected endpoints.
Install Mechanism
There is no formal install spec in the registry, but the instructions tell the user/agent to install @membranehq/cli via npm -g and to use npx for some commands. Installing a CLI from npm is a reasonable approach for this integration, but it does involve executing third‑party package code from the npm registry (and npx@latest executes remote code at runtime), which is a moderate operational risk to be aware of.
Credentials
The skill declares no required env vars or credentials and explicitly advises letting Membrane handle auth rather than asking for API keys. This is proportionate to the stated purpose.
Persistence & Privilege
The skill is instruction-only, does not request always:true, and does not attempt to modify other skills or system-wide settings. Autonomous invocation is allowed (platform default) and is not combined with other concerning privileges.
Assessment
This skill is coherent: it uses the Membrane CLI to access Flourish and asks you to authenticate via browser rather than provide API keys. Before installing/use: (1) verify the @membranehq/cli package and the getmembrane.com / GitHub links are legitimate, (2) prefer running commands in a controlled/sandboxed environment (avoid installing global packages on sensitive machines), (3) prefer npx invocation for ephemeral runs if you don't want a global install, and (4) do not provide unrelated credentials or secrets. If you need higher assurance, inspect the Membrane CLI source code or use an isolated VM/container for first-time runs.

Like a lobster shell, security has layers — review code before you run it.

latestvk97d11hypby55s9pdmtfppd94984fvpw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments