Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Function
v1.0.0Function integration. Manage Deals, Persons, Organizations, Leads, Projects, Pipelines and more. Use when the user wants to interact with Function data.
⭐ 0· 21·0 current·0 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to integrate with a 'Function' SaaS (CRM-like: Deals, Persons, Organizations) and uses Membrane as a proxy — that's plausible. However the SKILL.md also contains an unrelated link to MATLAB 'function' docs (likely accidental), the package source and homepage are unknown, and the skill metadata declares no required config paths while the runtime instructions explicitly create/read ~/.membrane/credentials.json. These inconsistencies suggest sloppy packaging or copy-paste errors and reduce confidence that what's declared matches actual behavior.
Instruction Scope
The runtime instructions instruct the agent to run the Membrane CLI (via npx) to create connections, list actions, run actions, and to proxy arbitrary API requests. The proxy mode allows sending arbitrary paths or full URLs through Membrane, which could be used to reach unexpected endpoints (including internal APIs) if misused. The instructions also explain browser-based login and storing credentials locally. The agent is not told to read unrelated system files, but the ability to proxy arbitrary URLs and to create persistent credentials increases the attack surface and scope of what the skill can do.
Install Mechanism
This is an instruction-only skill (no install spec or code files), but it depends on running npx @membranehq/cli@latest at runtime. That causes automatic fetching and execution of a package from the npm registry whenever invoked. While common, fetching the latest package at runtime means unreviewed code will be downloaded and executed; the skill metadata did not declare this runtime dependency (no required binaries were listed).
Credentials
Metadata declares no required env vars or primary credential, but the instructions require a Membrane account and store credentials in ~/.membrane/credentials.json. The skill asks you not to share API keys (it will use Membrane), yet it creates local persistent credentials and can proxy arbitrary requests. The lack of declared credentials/config paths is a mismatch with actual behavior.
Persistence & Privilege
The skill will cause the Membrane CLI to store authentication credentials under ~/.membrane/credentials.json and reuse them across runs. Although always:false (not force-enabled globally), the skill introduces persistent tokens on disk without having declared that persistence in metadata. Persistent credential files combined with proxy capabilities increase long-term risk if those credentials are compromised or misused.
What to consider before installing
Before installing or invoking this skill: (1) verify the legitimacy of the Membrane CLI (@membranehq/cli) and the expected behavior of its login flow; (2) be aware that using the skill will cause npx to download and execute the latest Membrane CLI from npm at runtime (consider pinning a version or reviewing the package); (3) understand that the CLI stores credentials in ~/.membrane/credentials.json — treat that file as sensitive and consider using an isolated environment or ephemeral account; (4) note the skill allows proxying arbitrary URLs through Membrane (which could be used to contact unexpected/internal endpoints), so review which endpoints you or the agent will call; and (5) the SKILL.md contains an unrelated MATLAB docs link and the metadata omits declared config paths — ask the publisher for clarification and an explicit privacy/credential-handling statement before trusting this integration.Like a lobster shell, security has layers — review code before you run it.
latestvk975ppac1pc1ppn3egz6np8715846fb7
License
MIT-0
Free to use, modify, and redistribute. No attribution required.