ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Loyjoy

v1.0.1

LoyJoy integration. Manage Organizations. Use when the user wants to interact with LoyJoy data.

0· 149·0 current·0 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill claims to integrate with LoyJoy via Membrane and the SKILL.md exclusively instructs use of the Membrane CLI and Membrane-hosted proxy. Required capabilities (network access, a Membrane account, installing the Membrane CLI) align with that purpose.
Instruction Scope
Runtime instructions are limited to installing/using the Membrane CLI, logging in, discovering connections/actions, running actions, and proxying API requests. The instructions do not ask the agent to read unrelated files, environment variables, or system configuration.
Install Mechanism
This is an instruction-only skill (no install spec in registry). The SKILL.md asks the user to npm install -g @membranehq/cli (a public npm package). That is a reasonable ask for this integration, but global npm installs modify system state and should be done from a trusted source or within a controlled environment (container, virtualenv-like tool, or with user awareness).
Credentials
The skill declares no required env vars, secrets, or config paths. Authentication is delegated to Membrane via browser-based login/connection flows, which matches the stated guidance to avoid local API keys.
Persistence & Privilege
The skill is not forced-always, and it does not request elevated or persistent platform privileges. Autonomous invocation is allowed (default) but that is expected for skills and is not combined with other concerning flags.
Assessment
This skill is coherent: it instructs use of the Membrane CLI to access LoyJoy and does not request secrets or unrelated system access. Before installing, verify the @membranehq/cli package is from the official maintainer (check npm and the project repo), consider installing it in a contained environment (container or dedicated VM) rather than system-wide if you want reduced risk, and be aware the login flow opens a browser (or prints a URL for headless flows). Allow agent use of the skill only if you trust the agent to act on your behalf, since the skill can be invoked autonomously by default.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ekq555h3h4eez0aezsyrn2x842gm7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments