ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Goose

v1.0.0

Goose integration. Manage data, records, and automate workflows. Use when the user wants to interact with Goose data.

0· 61·0 current·0 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description state a Goose integration and the instructions exclusively show how to use the Membrane CLI to discover connectors, create connections, run actions, and proxy requests to Goose. No unrelated env vars, binaries, or privileged actions are requested.
Instruction Scope
SKILL.md limits runtime actions to installing/using @membranehq/cli, authenticating via browser/headless flow, listing/connecting actions, and proxying requests through Membrane. It does not instruct reading arbitrary local files, environment variables, or sending data to unexpected endpoints outside Membrane/Goose.
Install Mechanism
There is no automated install spec, but SKILL.md instructs the user to run `npm install -g @membranehq/cli`. This is a reasonable, expected instruction for a CLI-based integration but carries normal npm/global-install risks (privilege to write global binaries). Recommend verifying the npm package and source before installing.
Credentials
The skill declares no required environment variables and explicitly instructs not to ask users for API keys. Authentication is done via Membrane's login flow (browser/headless); this is proportional, but note that Membrane will hold and proxy credentials on behalf of the user.
Persistence & Privilege
Skill is not always-enabled and has no install-time code that would persist or modify other skills. It allows normal autonomous invocation (default platform behavior) but does not request elevated or persistent system privileges.
Scan Findings in Context
[no-findings] expected: The regex scanner had no findings because this is an instruction-only skill with no code files; that is expected for SKILL.md-only skills.
Assessment
This skill is coherent and appears to do what it says: use the Membrane CLI to talk to Goose. Before installing or using it: verify the @membranehq/cli package on npm (and the publisher) and the Membrane homepage/repository; review Membrane's privacy and terms because Membrane will hold and proxy your Goose credentials and request data; be aware `npm install -g` will write global binaries — use a container, virtualenv, or limited account if you want to reduce risk; if you are uncomfortable with autonomous skill invocation, keep the skill disabled for agent-autonomy or review invocation controls in your agent management UI.

Like a lobster shell, security has layers — review code before you run it.

latestvk975vfqba8a3nw33q2qd2g75hn84aqr9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments