ClawHub

Nimble Crm

v1.0.0

Nimble integration. Manage data, records, and automate workflows. Use when the user wants to interact with Nimble data.

0· 53·0 current·0 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name and description say 'Nimble integration' and the SKILL.md exclusively instructs using the Membrane CLI to discover, connect, and call Nimble actions — this is proportionate to the stated purpose.
Instruction Scope
Instructions are narrowly scoped to installing and using the Membrane CLI, logging in, creating connections, listing actions, running actions, and proxying requests to Nimble. They do not instruct reading unrelated files, accessing unrelated env vars, or exfiltrating data to unexpected endpoints. They do rely on browser-based auth and a Membrane-hosted account flow (so Membrane will see the CRM requests).
Install Mechanism
There is no registry install spec, but the SKILL.md instructs users to run `npm install -g @membranehq/cli`. Installing a global npm package is expected for a CLI but carries the usual npm risks (supply-chain/postinstall scripts). The registry itself does not perform any install — the user must run the command.
Credentials
The skill declares no required env vars, no credentials, and no config paths. Authentication is delegated to Membrane (server-side account/connection). This is proportionate, though it means users must trust Membrane with credentials and proxied requests.
Persistence & Privilege
The skill is not always-enabled, does not request system-wide config changes, and has no install-time hooks in the registry. Autonomous invocation is allowed (default) but is not combined with other high-risk requests.
Assessment
This skill appears to do what it says: it uses the Membrane CLI to interact with Nimble. Before installing or using it, consider: (1) Membrane will act as a proxy and will see your Nimble data and manage your credentials — review Membrane's privacy/security and decide whether you trust that service. (2) The SKILL.md asks you to install a global npm package (@membranehq/cli); verify the package name and source before running npm -g and consider installing in a controlled environment first. (3) The skill explicitly advises not to ask the user for API keys — do not provide Nimble API tokens directly; use the connection flow. (4) If you need higher assurance, test with a disposable Nimble account or limited-scope data and verify the CLI’s behavior. Overall the skill is internally consistent, but its primary risk is trusting an external proxy/service rather than any hidden or incoherent behavior.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fxpgntsrctkbnnv855bpe3x8459y3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments