ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Leexi

v1.0.2

Leexi integration. Manage Leads, Persons, Organizations, Deals, Projects, Pipelines and more. Use when the user wants to interact with Leexi data.

0· 158·0 current·0 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name and description (Leexi integration) match the instructions: all actions are performed via the Membrane CLI and the skill explicitly requires a Membrane account and network access. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope
SKILL.md instructs the agent to install and use the Membrane CLI, create connections, list actions, run actions, and proxy requests to Leexi via Membrane. All referenced commands and data flows are relevant to interacting with Leexi; the instructions do not ask the agent to read unrelated local files or exfiltrate arbitrary system data. Note: the proxy feature lets the agent send arbitrary API requests to Leexi through Membrane using the created connection, which is expected for this integration.
Install Mechanism
No install spec in the registry; the README recommends installing @membranehq/cli via npm (npm install -g). This is a standard public npm package recommendation (not an automatic download in the skill). Installing global npm packages may require elevated privileges—verify the package and publisher before installing.
Credentials
The skill declares no required env vars or credentials. SKILL.md advises using Membrane-managed connections (server-side auth) and explicitly tells integrators not to request user API keys, which is proportionate for this purpose.
Persistence & Privilege
Skill is instruction-only, always:false, user-invocable:true, and does not request persistent system changes or modify other skills' configurations. It does not request elevated platform privileges.
Scan Findings in Context
[no_code_files_to_scan] expected: The scanner found no code files because this is an instruction-only skill (only SKILL.md present). This is expected; runtime behavior depends on executing the Membrane CLI as instructed.
Assessment
This skill appears coherent and uses the Membrane CLI to access Leexi. Before installing/using it: (1) Verify you trust Membrane (getmembrane.com / the @membranehq npm package and repository) because API requests and authentication are proxied through their service — sensitive data will transit their infrastructure. (2) Installing the CLI globally (npm install -g) may require elevated privileges; review the npm package and its permissions. (3) Understand that invoking the skill will run shell commands (membrane CLI) that can make arbitrary requests to the Leexi API via a created connection — ensure you only connect accounts/services you trust. If you want tighter control, avoid installing the global CLI or review the Membrane privacy/security docs and the @membranehq/cli source first.

Like a lobster shell, security has layers — review code before you run it.

latestvk9759cbs8hjfkdcejsg2r4w1zh8433dp

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments