ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Moov

v1.0.0

Moov integration. Manage data, records, and automate workflows. Use when the user wants to interact with Moov data.

0· 50·0 current·0 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (Moov integration) align with the instructions: all actions are performed via the Membrane CLI which proxies/authenticates Moov requests. The homepage and repository references match the listed integration approach.
Instruction Scope
SKILL.md only instructs installing and using the Membrane CLI, creating connections, listing actions, running actions, or proxying requests through Membrane. It does not ask the agent to read unrelated files, request unrelated credentials, or transmit data to unexpected endpoints. Headless auth flow and browser-based login are documented.
Install Mechanism
This is an instruction-only skill (no install spec in registry). The doc recommends installing @membranehq/cli globally via npm (npm install -g), or uses npx for some commands. Installing a third-party CLI globally is a normal convenience but is a higher-integrity action than a truly instruction-only skill because it writes to disk and runs external code; this is expected for the stated purpose but the user should confirm the package origin before installing.
Credentials
The skill declares no required environment variables, no secrets, and the docs explicitly advise against asking the user for API keys. That matches the stated design where Membrane manages auth server-side.
Persistence & Privilege
always:false and default model invocation are set. There is no request to modify other skills or system-wide configs. The skill does not require permanent presence or elevated privileges.
Assessment
This skill appears to do what it says: it expects you to use the Membrane CLI to talk to Moov and intentionally avoids asking for API keys. Before installing the CLI, verify the @membranehq/cli package and the Membrane service (homepage/repo) are the official sources you trust. If you prefer not to install a global npm package, use npx (the SKILL.md already uses npx in examples) which avoids a global install. Remember that Membrane's servers will handle and store your Moov authentication (so you’re trusting that service with those credentials); if that is a privacy or compliance concern, review Membrane’s policy and consider contacting your security team.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f3r12e0vkj7ty1a16fxmz0184eny2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments