ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Font Awesome

v1.0.0

Font Awesome integration. Manage data, records, and automate workflows. Use when the user wants to interact with Font Awesome data.

0· 41·0 current·0 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (Font Awesome integration for managing data/workflows) matches the runtime instructions which exclusively describe using the Membrane CLI to create a connector, list/run actions, and proxy API requests. There are no unrelated environment variables, binaries, or config paths requested.
Instruction Scope
SKILL.md gives step-by-step CLI instructions: install Membrane CLI, run membrane login, create/connect a Font Awesome connector, list/run actions, and proxy requests. The instructions do not ask the agent to read arbitrary files, scan the system, or exfiltrate unrelated data. They do rely on opening a browser for OAuth-style login, which is expected for this flow.
Install Mechanism
The skill itself has no install spec, but SKILL.md instructs users to install @membranehq/cli globally via npm (-g) or to use npx. Installing a global npm package executes code from the npm registry and is a moderate-risk action — expected for this integration but worth user review of the package and publisher before installation.
Credentials
The skill declares no required env vars or credentials and instead uses a Membrane account/connection model. Requiring a Membrane tenant and network access is proportionate to the described behavior. The instructions explicitly advise not to ask users for Font Awesome API keys, which is appropriate.
Persistence & Privilege
The skill is instruction-only, doesn't request permanent 'always' inclusion, and does not instruct modifying other skills or system-wide agent settings. Normal autonomous invocation is allowed (platform default) and is not by itself a red flag here.
Assessment
This skill is instruction-only and appears coherent: it tells the agent to use the Membrane CLI to manage Font Awesome connectors and run proxied API calls. The main risk is installing and trusting the Membrane CLI from npm (global install executes third‑party code). Before installing, verify the @membranehq/cli package and publisher, prefer using npx when possible, review Membrane's privacy/security docs, and be aware that authenticating via the browser delegates Font Awesome credentials to Membrane (the connector will allow Membrane to access your Font Awesome account). If you cannot or do not want to install third-party CLI tools or delegate credentials to a proxy service, do not install this skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk97448hb4v4dx3gv67m2xds8e184g6hg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments