ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Localstack

v1.0.0

LocalStack integration. Manage data, records, and automate workflows. Use when the user wants to interact with LocalStack data.

0· 43·0 current·0 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (LocalStack integration) align with the instructions: the SKILL.md tells the agent to use the Membrane CLI to create a connector and run/proxy requests to LocalStack. Requiring a Membrane account and network access is coherent with this purpose.
Instruction Scope
Instructions are limited to installing/using the Membrane CLI, creating connections, listing/running actions, and proxying requests via Membrane. This stays within the stated purpose; however, the proxy command lets you send arbitrary HTTP requests through the Membrane connection (headers, body, path) — expected for a generic integration but gives broad network request capability tied to whatever the connection can reach.
Install Mechanism
Install steps use npm (npm install -g @membranehq/cli) and npx for discovery; these are standard package registry operations and not a high-risk download-from-arbitrary-URL pattern.
Credentials
The skill declares no required env vars or credentials and explicitly instructs not to ask users for API keys, instead using Membrane's connection flow. Requesting a Membrane account for authentication is proportional to the integration.
Persistence & Privilege
No install spec or code files; the skill is instruction-only, not always-enabled, and does not request system-wide changes or other skills' configuration.
Assessment
This skill uses the Membrane CLI and your Membrane account to create a connector and proxy requests to LocalStack. Before installing: (1) confirm you're comfortable installing a global npm CLI (@membranehq/cli); (2) verify you trust Membrane (getmembrane.com) since authentication is done through their service; and (3) be aware that the 'membrane request' proxy can send arbitrary HTTP requests to endpoints accessible via the connection, so only connect it to services/environments you trust.

Like a lobster shell, security has layers — review code before you run it.

latestvk974484a9m1eehxdbxc3b9yrbx84eqww

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments