ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Jobvite

v1.0.2

Jobvite integration. Manage data, records, and automate workflows. Use when the user wants to interact with Jobvite data.

0· 48·0 current·0 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's stated purpose (Jobvite integration) matches the runtime instructions (using the Membrane CLI to connect to Jobvite and run actions). However the SKILL.md requires the Membrane CLI (installed via npm) and a Membrane account but the registry metadata declares no required binaries; this omission is an inconsistency (the skill implicitly requires node/npm and the 'membrane' binary).
Instruction Scope
Instructions stay within the integration scope (discover actions, run actions, proxy raw Jobvite API requests). They explicitly tell the agent to use Membrane for auth and to never ask users for Jobvite API keys. One notable point: the 'membrane request' proxy will send arbitrary API requests through Membrane's service (including request bodies and headers), so using proxy calls means trusting Membrane with any data sent or received.
!
Install Mechanism
This is an instruction-only skill but directs users to run 'npm install -g @membranehq/cli' (global npm install). The registry did not declare an install spec or required binaries (node/npm). Public npm packages are moderate risk: they are traceable but can execute arbitrary code at install/run time. Global install may require elevated permissions. The skill should have declared that node/npm is required and documented installation alternatives or sandboxing guidance.
Credentials
The skill does not request environment variables, credentials, or config paths in the registry metadata. The SKILL.md explicitly instructs not to ask users for API keys and to rely on Membrane-managed connections, which is consistent. However using Membrane implies that Membrane's servers will see proxied requests and tokens associated with connections — a privacy/trust consideration rather than a direct credential request by the skill.
Persistence & Privilege
The skill is not always-on and does not request elevated persistent presence or modify other skills' config. There is no code written to disk by the registry itself (instruction-only). Normal autonomous invocation is allowed by platform defaults but not a special privilege here.
Scan Findings in Context
[no_regex_findings] expected: The scanner found no code-level regex matches. This is expected because the skill is instruction-only (only SKILL.md present). Absence of findings does not imply the instructions are risk-free.
What to consider before installing
This skill appears to be a straightforward Jobvite integration that uses the Membrane CLI, but check these before installing: 1) You will need node/npm (the SKILL.md tells you to run a global 'npm install -g @membranehq/cli') — the registry metadata did not declare this requirement. A global npm install can require elevated privileges; consider installing in a container or using npx/local install if you want to avoid global changes. 2) Using the 'membrane request' proxy sends API requests (and their bodies/headers) through Membrane's servers — you must trust Membrane with any sensitive Jobvite data or tokens associated with the connection. 3) Verify the @membranehq/cli package and its source (package homepage, npm publisher) if you have high security requirements. 4) If you need an auditable, offline approach or want to avoid third-party proxies, prefer direct API integration (understanding that then you'd need to manage credentials yourself). If you need more assurance, ask the publisher for: an explicit declaration of required binaries (node/npm), an install spec, and details about what data Membrane logs or persists for proxied requests.

Like a lobster shell, security has layers — review code before you run it.

latestvk972w6knzdm024bnrqmyh6t89s843ss8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments