ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Jiminny

v1.0.0

Jiminny integration. Manage data, records, and automate workflows. Use when the user wants to interact with Jiminny data.

0· 51·0 current·0 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The skill claims to integrate with Jiminny via the Membrane platform, which fits the described purpose. However, the registry metadata lists no required binaries or credentials while the SKILL.md clearly expects npm/node, npx, and the @membranehq/cli to be installed — a discrepancy between declared requirements and what is actually needed.
Instruction Scope
Runtime instructions focus on installing and using the Membrane CLI to discover actions, run actions, and proxy requests to the Jiminny API. The instructions do not ask the agent to read unrelated system files or environment variables, nor to exfiltrate local data, but they do enable sending arbitrary API requests (via 'membrane request') through Membrane's proxy.
!
Install Mechanism
There is no formal install spec in the registry, yet SKILL.md instructs a global npm install (npm install -g @membranehq/cli) and shows npx usage. Installing a global npm package is moderate risk because it executes third‑party code; the package appears to be from a scoped public registry (@membranehq) which is reasonable, but the metadata should have declared this requirement.
Credentials
The skill does not request environment variables or secrets and explicitly recommends letting Membrane handle credentials rather than asking users for API keys. It does require a Membrane account and browser-based auth, which is proportional to the described functionality.
Persistence & Privilege
The skill is instruction-only, does not request 'always: true', and does not attempt to modify other skills or system-wide settings. It relies on an external CLI but does not request persistent elevated platform privileges in the metadata.
What to consider before installing
This skill appears to do what it says (use Membrane to access Jiminny), but note two practical risks before installing: (1) the SKILL.md requires npm/node, npx, and a global install of @membranehq/cli even though the registry metadata omitted those requirements — confirm your environment can safely install global npm packages; (2) the CLI will proxy arbitrary requests to Jiminny via Membrane, so any data you send could be transmitted to the remote Membrane service. Before proceeding: verify the @membranehq/cli package on npm/GitHub, confirm the publisher (Membrane) and its privacy/security policies, consider installing and testing the CLI in a sandbox or ephemeral environment first, and avoid sending sensitive data until you trust the service. If you want the metadata fixed, ask the publisher to declare required binaries (node/npm) and to provide a formal install spec.

Like a lobster shell, security has layers — review code before you run it.

latestvk9736x5xwndbdh3efgsdmkm1mx84e225

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments