Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Miniorange
v1.0.0miniOrange integration. Manage data, records, and automate workflows. Use when the user wants to interact with miniOrange data.
⭐ 0· 47·0 current·0 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name and description (miniOrange integration) align with the runtime instructions that use Membrane as a proxy to interact with miniOrange. However, the SKILL.md requires the Membrane CLI (and implicitly Node/npm) to be available; the skill metadata declares no required binaries or install spec, which is an inconsistency.
Instruction Scope
Instructions are focused on using the Membrane CLI to discover connectors, create connections, run actions, and proxy requests to miniOrange. They do not instruct the agent to read unrelated files, collect unrelated credentials, or transmit data to unexpected endpoints. The SKILL.md explicitly advises not to ask users for API keys and to let Membrane manage auth.
Install Mechanism
There is no install spec in the skill bundle (instruction-only), but the SKILL.md tells users to run `npm install -g @membranehq/cli` (or use npx commands). Installing a public npm package is a common approach and the package is traceable, but the skill metadata should have declared the dependency or required binaries (node/npm/membrane). Global npm installs carry typical security considerations and should be verified.
Credentials
The skill requests no environment variables or credentials in metadata; the runtime instructions rely on a Membrane account (server-side auth) and browser-based login. This is proportionate to the described purpose. Users should still confirm trust in Membrane as the central authenticator/proxy.
Persistence & Privilege
The skill is not always-included and does not request special system paths or persistent privileges. It is user-invocable and allows normal autonomous invocation (default), which is expected for skills.
Scan Findings in Context
[no_regex_findings] expected: The regex scanner found nothing to analyze because this is an instruction-only skill with no code files; that is expected but means the instructions are the primary security surface to review.
What to consider before installing
This skill appears to do what it says — it uses Membrane to integrate with miniOrange — but confirm a few things before installing or using it: (1) The SKILL.md requires the Membrane CLI (and thus Node/npm); the skill metadata did not list required binaries. Ensure your environment has Node/npm and verify whether you want to install a global npm package (@membranehq/cli) or use npx. (2) Verify the authenticity of the @membranehq/cli package and the Membrane project (check npm and the GitHub repository) before installing. (3) Understand that Membrane will hold the credentials and act as a proxy — only proceed if you trust Membrane to manage miniOrange auth and data. (4) Because this skill is instruction-only, the runtime behavior depends on the Membrane CLI and your Membrane account; review those components' security/privacy policies. If you want higher assurance, ask the publisher to (a) declare required binaries in metadata (node/npm/membrane) and (b) provide a link to the exact CLI release they expect to use.Like a lobster shell, security has layers — review code before you run it.
latestvk97dk4mm1dn4pqj46hx2cxx7x984ff3p
License
MIT-0
Free to use, modify, and redistribute. No attribution required.