ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Lessonspace

v1.0.2

Lessonspace integration. Manage Spaces. Use when the user wants to interact with Lessonspace data.

0· 106·0 current·0 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill is a Lessonspace integration and all runtime instructions target Lessonspace via the Membrane CLI, which is coherent with the stated purpose. However, the skill metadata declares no required binaries or environment variables while the SKILL.md explicitly requires installing and using the 'membrane' CLI (and npm to install it). That mismatch is unexpected and should be fixed or explained.
Instruction Scope
SKILL.md stays within the stated scope: it documents using the Membrane CLI to discover connectors, create connections, run actions, and proxy requests to the Lessonspace API. It explicitly warns not to ask users for API keys and describes authentication flows (browser-based, headless code completion). The instructions do not ask the agent to read unrelated files or exfiltrate data.
Install Mechanism
There is no formal install spec in the registry, but the SKILL.md instructs the user to run 'npm install -g @membranehq/cli'. Installing a global npm package is a common pattern but carries moderate risk (remote package code executed locally). The registry should have declared the dependency/binaries, and you should verify the npm package source and integrity before installing.
Credentials
The skill declares no required environment variables and the instructions state that Membrane handles auth server-side and that you should not ask users for API keys. That is proportionate: the integration relies on a Membrane account (not local secrets).
Persistence & Privilege
always is false and there are no code files or install hooks that would force permanent presence. The skill is instruction-only and user-invocable; it does not request elevated platform privileges.
What to consider before installing
This skill appears to be a normal Lessonspace integration that expects you to use the Membrane CLI, but the registry metadata doesn't list that CLI or npm as required — a small incoherence to be aware of. Before installing or running any commands: 1) Verify the '@membranehq/cli' package on npm (publisher, recent releases, repository link) and confirm the getmembrane.com and GitHub URLs are legitimate; 2) Prefer installing the CLI in a controlled environment (not a sensitive production host) and review the package contents if possible; 3) Understand you will authenticate via browser (Membrane will hold credentials server-side) — do not paste API keys into chat; 4) Ask the skill author to update metadata to declare the required binaries (npm/node and membrane) so the registry accurately reflects what will be needed. If you need higher assurance, request a signed checksum or review of the CLI source before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fxxwz2dqt5qhr4vxf42cwg1842zm2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments