ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Microsoft 365 People

v1.0.0

Microsoft 365 People integration. Manage data, records, and automate workflows. Use when the user wants to interact with Microsoft 365 People data.

0· 57·0 current·0 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name and description match the instructions: the skill is an integration helper for Microsoft 365 People implemented by invoking Membrane to access Microsoft Graph. The need for a connector and proxy to Microsoft 365 People is coherent with the stated purpose.
Instruction Scope
SKILL.md only instructs installing and using the Membrane CLI for login, listing/connecting, running actions, and proxying Graph requests. It does not ask the agent to read unrelated local files or environment variables, nor to exfiltrate data to unexpected endpoints. It does, however, route Microsoft 365 data through Membrane (explicitly stated).
Install Mechanism
There is no formal install spec in the registry (instruction-only), but the doc recommends installing @membranehq/cli via npm (global install) and uses npx in examples. Pulling a CLI from the public npm registry is a common pattern but has moderate risk compared to an instruction-only skill because it installs third‑party code on the host.
Credentials
The skill declares no required env vars and does not request credentials; authentication is delegated to Membrane via an interactive browser flow. That is proportionate to its purpose, but it means sensitive org data and access tokens will be handled by the Membrane service — users should verify that is acceptable. Also note a small metadata inconsistency: registry 'required binaries' lists none but instructions require npm (and the membrane binary) to be available/installed.
Persistence & Privilege
The skill does not request always:true or other elevated persistent privileges. It is user-invocable and allows autonomous invocation (platform default), which is expected. The skill does not instruct modification of other skills or system-wide agent settings.
Assessment
This skill is coherent: it acts as documentation for using the Membrane CLI to access Microsoft 365 People. Before installing/using it, confirm you trust Membrane (getmembrane.com/@membranehq) because your organization's People data and tokens will be proxied through their service. Installing the CLI via npm (global install or npx) will run third‑party code on your machine — prefer pinning to a specific, audited version and review the package before global installation. If your org forbids routing data through external proxies, implement a direct Microsoft Graph integration instead. Also note the minor inconsistency: the registry metadata lists no required binaries even though the instructions assume npm/membrane are available.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dsvr4beyje28jkyrt8jpdt1844zny

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments