Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Idealpostcodes
v1.0.2IdealPostcodes integration. Manage Postcodes. Use when the user wants to interact with IdealPostcodes data.
⭐ 0· 145·0 current·0 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md presents a Membrane-backed IdealPostcodes integration and instructs using the Membrane CLI — that aligns with the stated purpose. However the 'Popular actions' list includes items that look generic or unrelated to IdealPostcodes (e.g., Verify Address (US), Validate Phone Number, Validate Email) and there are small naming inconsistencies (UMPRN/UPRN/UDPRN). This suggests the document is a generic Membrane connector template reused for IdealPostcodes rather than a carefully curated, connector-specific skill.
Instruction Scope
All runtime instructions are limited to installing the Membrane CLI, authenticating via browser, listing connections/actions, running actions, and proxying API requests through Membrane. The instructions do not ask the agent to read local files or unrelated environment variables. The 'proxy requests' capability allows arbitrary requests to the IdealPostcodes API (and via Membrane, possibly other proxied endpoints for that connection), which is expected for a connector but broad in scope — verify you trust the Membrane account/connector before allowing it to proxy traffic.
Install Mechanism
No install spec in skill bundle; the SKILL.md recommends installing @membranehq/cli via npm (global). Installing an npm CLI is a common, moderate-risk choice; the package comes from the public npm registry. This is proportionate to the CLI-driven instructions, but users should confirm the package name/maintainer and review npm package reputation before global install.
Credentials
The skill declares no required environment variables, credentials, or config paths. SKILL.md explicitly tells users not to share API keys and to let Membrane handle credentials. This is proportionate to the described Membrane-based integration.
Persistence & Privilege
The skill is not marked always:true and requests no special system persistence or changes to other skills. It relies on user-driven Membrane CLI auth (browser-based), which is normal. The skill can be invoked autonomously by the agent (platform default), but that is not unique to this skill and is not in itself flagged here.
What to consider before installing
This is an instruction-only skill that tells the agent to use the Membrane CLI to talk to IdealPostcodes. Before installing: (1) verify the Membrane CLI package (@membranehq/cli) on npm and confirm you trust its publisher; (2) confirm the Membrane connector actually exposes the IdealPostcodes endpoints you need — the 'Popular actions' in the doc look like a generic template and may not reflect what this connector supports; (3) be aware that using 'membrane request' will proxy arbitrary HTTP calls for that connection, so only connect an account you trust and avoid exposing unrelated secrets; (4) prefer logging into Membrane via the browser flow (recommended) and review the permissions requested during auth. If you need higher assurance, ask the skill author for a connector-specific action list or a pointer to the exact Membrane connector documentation/source for IdealPostcodes.Like a lobster shell, security has layers — review code before you run it.
latestvk975c1gk9q1j44by1d8vja467h843a5v
License
MIT-0
Free to use, modify, and redistribute. No attribution required.