ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Insomnia

v1.0.2

Insomnia integration. Manage data, records, and automate workflows. Use when the user wants to interact with Insomnia data.

0· 65·0 current·0 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to integrate with Insomnia using Membrane, and all described commands are consistent with that purpose. However the registry metadata lists no required binaries or install steps even though the SKILL.md explicitly instructs installing @membranehq/cli (npm) and using npx; this mismatch should be resolved (the skill will not work without Node/npm/npx and installing the CLI).
Instruction Scope
The SKILL.md only instructs using the Membrane CLI to discover connectors, create connections, run actions, and proxy requests to Insomnia. It does not instruct the agent to read unrelated files, environment variables, or system paths. Authentication is browser-based and handled by Membrane rather than asking for local secrets.
Install Mechanism
There is no formal install spec in the registry; runtime instructions tell the user to run `npm install -g @membranehq/cli` and to use `npx`. Installing a global npm package and using npx is common but modifies the host system and pulls code from the npm registry — a moderate-risk install mechanism. The absence of an explicit install declaration in metadata is an inconsistency to be aware of.
Credentials
The skill requests no environment variables or credentials and explicitly advises not to collect API keys (Membrane handles auth). That is proportionate. However, note that using Membrane delegates Insomnia data and credentials to Membrane's service — you must trust that external service with your data and access tokens.
Persistence & Privilege
The skill is not marked 'always' and does not request system-wide config changes or access to other skills' configs. It does require installing a CLI binary (global npm install) if you follow the instructions, but it doesn't demand elevated platform privileges in the manifest.
What to consider before installing
This skill looks like a legitimate Membrane-based integration for Insomnia, but confirm a few things before installing: (1) the SKILL.md requires Node/npm/npx and a global install of @membranehq/cli — the registry metadata didn’t list these; install would add software to your system. (2) Using the skill routes Insomnia access through Membrane's service (getmembrane.com) and its cloud-side connectors — only proceed if you trust Membrane to hold and proxy your Insomnia data and tokens. (3) Verify the npm package and GitHub repository authorship (package owner, download counts, repo commits) before running global installs. (4) If you need higher assurance, test in an isolated environment (container/VM) or ask the publisher to add explicit required-binaries and an install manifest to the registry entry. Providing those artifacts or a signed package would increase confidence and could change this assessment to benign.

Like a lobster shell, security has layers — review code before you run it.

latestvk9790sff9hnehz9j1n29nas03x843zv4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments