ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Incorta

v1.0.0

Incorta integration. Manage data, records, and automate workflows. Use when the user wants to interact with Incorta data.

0· 43·0 current·0 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill declares an Incorta integration and all runtime instructions use the Membrane CLI to connect to Incorta. Asking users to install @membranehq/cli and to authenticate via Membrane is coherent with the stated purpose.
Instruction Scope
SKILL.md only instructs installing and using the Membrane CLI, creating connections, running actions, and proxying requests to Incorta via Membrane. It does not instruct reading unrelated files, harvesting environment variables, or sending data to unexpected endpoints. It does rely on Membrane to perform authentication and proxying.
Install Mechanism
No install spec in the skill bundle (instruction-only). The doc recommends npm -g install of @membranehq/cli and also demonstrates npx usage; npm global installs are a moderate-risk mechanism (third-party package execution), but this is a reasonable and expected way to use a CLI. Prefer npx or verifying the package source if you want to avoid a global install.
Credentials
The skill requests no environment variables, secrets, or config paths. Authentication is delegated to Membrane (browser-based or headless flow). The absence of requested credentials matches the guidance in the document.
Persistence & Privilege
The skill is not marked always:true and does not request elevated platform privileges. It is user-invocable and allows normal autonomous invocation (platform default). Nothing in the instructions attempts to modify other skills or system-wide settings.
Assessment
This is an instruction-only Incorta integration that delegates authentication and API proxying to Membrane. Before installing/running the CLI: 1) Confirm you trust Membrane (getmembrane.com) because Incorta API calls and data will pass through their service; check their privacy/security docs. 2) Prefer using npx if you don't want a global npm install, and verify the @membranehq/cli package/version on npm/GitHub. 3) The skill does not request local secrets, but the agent will rely on network access and your Membrane account—ensure browser-based login flows are completed in a trusted environment. 4) If you need higher assurance, review Membrane's docs or the connector implementation (repository link provided) before use.

Like a lobster shell, security has layers — review code before you run it.

latestvk97brk6xwec8crkeb781h0aa8h84d16e

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments