ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Google Recaptcha

v1.0.0

Google reCAPTCHA integration. Manage data, records, and automate workflows. Use when the user wants to interact with Google reCAPTCHA data.

0· 23·0 current·0 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the instructions: the skill is an integration that uses the Membrane CLI to manage Google reCAPTCHA connections and proxy API calls. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope
SKILL.md only instructs installing @membranehq/cli, authenticating via membrane login, creating connections, listing actions, running actions, and proxying requests. It does not direct reading unrelated files, exfiltrating environment variables, or calling unexpected external endpoints beyond Membrane and Google reCAPTCHA.
Install Mechanism
The skill is instruction-only (no install spec). It recommends installing the Membrane CLI via npm (npm install -g @membranehq/cli). Installing a third-party global npm package is a normal but non-trivial action — you should verify the package and its source before installing.
Credentials
The skill requests no local environment variables or API keys and explicitly recommends letting Membrane handle credentials. That is proportionate, but it means you must trust Membrane with your Google reCAPTCHA credentials and data; the risk is a trust/third-party access tradeoff rather than overbroad local permissions.
Persistence & Privilege
The skill is not always-enabled, is user-invocable, and does not request modifications to other skills or system-wide settings. It does rely on an external account (Membrane) but does not request elevated persistent platform privileges.
Scan Findings in Context
[no-findings] expected: The repo had no code files for regex scanning (instruction-only SKILL.md). This is expected; absence of findings does not eliminate runtime trust considerations (Membrane CLI install and service trust remain relevant).
Assessment
This skill appears coherent and focused: it relies on the Membrane CLI to manage authentication and calls to Google reCAPTCHA. Before installing or using it, do the following: (1) Verify the @membranehq/cli npm package and its publisher (check the npm page, GitHub repo, and release history) because installing a global package adds code to your system. (2) Review Membrane’s privacy, security, and credential-storage policies — using this skill means giving Membrane access to your reCAPTCHA connections. (3) Limit connections to only the sites/accounts you intend to manage and use least privilege where possible. (4) If you need stronger assurance, request the skill author supply a signed source repository or an audited CLI binary. If any part of SKILL.md instructed reading local secrets or installing binaries from arbitrary URLs, or if the skill requested unrelated credentials, the assessment would be different.

Like a lobster shell, security has layers — review code before you run it.

latestvk972776d6qs0hhb8tw4warqy25846yem

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments