Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Hotmart
v1.0.0Hotmart integration. Manage data, records, and automate workflows. Use when the user wants to interact with Hotmart data.
⭐ 0· 20·0 current·0 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The stated purpose (Hotmart integration) matches the instructions (use Membrane CLI to connect and run Hotmart actions). However the skill metadata declares no required binaries or install steps, while the runtime instructions explicitly require npm, npx, and the membrane CLI—this is an inconsistency the author should have declared.
Instruction Scope
SKILL.md instructs the agent/user to install and run the Membrane CLI, perform login flows (browser-based or headless), create connections, list actions, and run commands that will return JSON with connection and action IDs. The instructions do not ask for unrelated system files or environment variables, but they rely on the CLI to handle auth and will therefore read/write local credentials/config (not documented).
Install Mechanism
There is no formal install specification in the skill metadata, but the document tells users to run `npm install -g @membranehq/cli` and use `npx`. That implies a global npm install and a dependency on Node/npm that the metadata does not list. Global npm installs modify the system; package provenance (npm registry, package name) should be verified before running.
Credentials
The skill does not request any environment variables or external credentials in metadata. Authentication is delegated to the Membrane CLI; while that avoids explicit secret fields here, the CLI will create and store tokens/credentials locally—this is expected but not surfaced in the metadata.
Persistence & Privilege
always is false and autonomous model invocation is allowed (default). If the agent is granted autonomous access, it could invoke the Membrane CLI to list or modify Hotmart connections and data. That capability is coherent with the skill's purpose but increases blast radius if the CLI credentials are present—consider whether autonomous invocation is appropriate.
What to consider before installing
This skill is an instruction-only wrapper around the Membrane CLI and appears to be what it claims, but there are some gaps and risks to consider before installing/using it:
- The SKILL.md expects npm/npx and the `membrane` binary, but the skill metadata does not declare those requirements; ensure you have Node/npm and are comfortable installing a global package.
- Verify the @membranehq/cli package on the npm registry and the referenced GitHub repo match the publisher you trust before running `npm install -g` (global installs modify system state).
- Understand that Membrane CLI will perform OAuth/login flows and store credentials locally; if you allow the agent to run autonomously, it could use those stored tokens to access Hotmart data.
- Prefer running CLI installs and initial auth manually in a controlled environment first (non-root), confirm outputs, and review where credentials are stored (config files) before granting an AI agent permission to invoke the skill automatically.
- If you need stronger assurance, ask the skill author to declare required binaries and provide an install spec or a minimal wrapper that avoids global installs, and to document exactly where the CLI stores credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk97a67b00y04n62j1b997657bh848rcc
License
MIT-0
Free to use, modify, and redistribute. No attribution required.