ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Landing Ai

v1.0.0

Landing AI integration. Manage data, records, and automate workflows. Use when the user wants to interact with Landing AI data.

0· 49·0 current·0 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description claim a Landing AI integration and the SKILL.md consistently uses Membrane to interact with Landing AI — that is coherent. However, the registry metadata declares no required binaries or install steps while the instructions require npm/node (or npx) and a global @membranehq/cli install or use of npx; this mismatch (undeclared runtime dependency) should be noted.
Instruction Scope
The SKILL.md confines itself to using the Membrane CLI to discover connectors, create connections, run actions, and proxy requests to the Landing AI API. It does not instruct the agent to read unrelated local files or environment secrets. It does allow arbitrary proxied API requests (membrane request) which is expected for an integration but means the agent can send arbitrary data to external services.
Install Mechanism
There is no formal install spec in the registry (instruction-only), so nothing is automatically written to disk by the skill bundle. The instructions recommend installing @membranehq/cli via npm (global install) or using npx — relying on the public npm registry. This is a common approach but carries the usual npm-package trust considerations; the skill does not point to a pinned release or checksum.
Credentials
The skill does not request environment variables, credentials, or system config paths. The SKILL.md explicitly tells integrators to create Membrane connections rather than ask users for API keys, which is proportionate. It does require a Membrane account and network/browser-based auth, which are reasonable for this purpose.
Persistence & Privilege
The skill is not marked always:true and does not request persistent elevated privileges or to modify other skills or system-wide settings. Autonomous invocation is allowed by default but that is standard; nothing in the package requests unusual persistence.
What to consider before installing
This skill appears to be a legitimate Landing AI integration that uses the Membrane CLI, but take these precautions before installing/using it: 1) Verify you trust Membrane/@membranehq/cli — check the npm package owner, the GitHub repository (the SKILL.md references https://github.com/membranedev/application-skills) and the domain getmembrane.com. 2) Be aware the instructions expect npm/node or npx and will open browser-based auth; the registry metadata did not declare that dependency. 3) Membrane proxies requests and holds credentials server-side — any data you send via 'membrane request' can go to Landing AI; avoid sending sensitive secrets or PII unless you trust the target and Membrane. 4) Prefer using npx (one-off) to avoid a global npm install if you are unsure. 5) If you need higher assurance, ask the publisher for a signed release, package provenance, or a pinned package version and checksum. If you are uncomfortable trusting the Membrane service or the npm package, do not install or run the CLI.

Like a lobster shell, security has layers — review code before you run it.

latestvk978efakwdh32wkwxsebcr36ks84eqga

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments