ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Medius

v1.0.1

Medius integration. Manage data, records, and automate workflows. Use when the user wants to interact with Medius data.

0· 40·0 current·0 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (Medius integration) aligns with the runtime instructions (use Membrane CLI to connect and call Medius). However the skill does not declare that Node/npm (or an npm-capable environment) is required even though it instructs installing @membranehq/cli via npm. Also the SKILL.md includes an out-of-place 'Official docs' link to oculus.developer.oculus.com, which looks like a copy/paste error and is inconsistent with the stated purpose.
Instruction Scope
Instructions are narrowly scoped to installing the Membrane CLI, performing login, creating/looking up connections, running actions, and optionally proxying raw API requests via Membrane. The instructions do not ask the agent to read unrelated local files or environment variables. Note: proxying requests sends data through the Membrane service — that is expected for this design but is a data-flow consideration.
Install Mechanism
This is an instruction-only skill but it tells users to run `npm install -g @membranehq/cli` (or use npx in examples). Installing a public npm package is a common approach but has moderate risk compared to no-install skills: it writes files to disk and depends on the npm package’s integrity. The instruction does not provide hashes or pinned release guidance; consider using npx or pinning a vetted version to reduce risk.
Credentials
The skill does not request any environment variables, secrets, or local config paths in metadata. It intentionally delegates credentials to Membrane (the SKILL.md explicitly advises against asking users for API keys). That is proportionate, but it does mean you must trust Membrane (getmembrane.com and the @membranehq npm package) to manage and store your Medius credentials and perform API calls on your behalf.
Persistence & Privilege
The skill does not request always:true or any elevated/persistent agent privileges. It is user-invocable and does not modify other skills or agent-wide settings according to the provided metadata.
What to consider before installing
This skill appears to be a straightforward Membrane-based integration for Medius, but take these precautions before installing or using it: 1) Verify you are comfortable trusting Membrane (getmembrane.com) and the @membranehq npm package to hold and refresh your Medius credentials and to proxy API requests. 2) Confirm you have a safe environment for installing global npm packages (or use npx to avoid a global install). 3) Check the npm package owner and repository (https://github.com/membranedev/application-skills) and inspect the package contents or release tags if possible. 4) Note the SKILL.md contains an odd 'Official docs' link to an Oculus site — treat that as a copy/paste error and confirm other links/documentation match your expectations. 5) If you need minimal trust surface, consider using a short-lived or least-privilege Medius account for initial testing and audit network calls during use.

Like a lobster shell, security has layers — review code before you run it.

latestvk975g1mdbmjdcrasy3t2cctp3s84gbe1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments