ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ninox

v1.0.2

Ninox integration. Manage Organizations, Persons, Deals, Projects, Activities, Notes and more. Use when the user wants to interact with Ninox data.

0· 95·0 current·0 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (Ninox integration) match the instructions: all actions are performed via the Membrane CLI which proxies to Ninox. No unrelated credentials, binaries, or resources are requested.
Instruction Scope
SKILL.md only instructs installing and using the Membrane CLI, creating/using connections, running actions, and proxying requests to Ninox. It does not ask the agent to read unrelated files, exfiltrate data, or access system config beyond running the CLI.
Install Mechanism
There is no automated install spec in the skill (instruction-only). The guide tells users to install @membranehq/cli via npm -g or use npx; installing global npm packages executes third-party code on the machine and has moderate risk if the package or registry is untrusted. This is expected for a CLI-based integration.
Credentials
The skill requests no environment variables or credentials and explicitly tells users not to provide API keys (use Membrane connections instead). That is proportional to the stated purpose.
Persistence & Privilege
Skill is instruction-only, always:false, and does not request persistent agent privileges or modify other skills/config. The agent may invoke it autonomously (platform default), which is normal.
Assessment
This skill is coherent: it tells you to use the Membrane CLI to talk to Ninox and does not ask for direct API keys. Before installing, verify you trust the @membranehq npm package and the getmembrane.com project (review the package page and repository), avoid installing global npm packages as root, consider using npx to avoid a global install, and run the CLI in a controlled environment if you have concerns about third-party code execution.

Like a lobster shell, security has layers — review code before you run it.

latestvk9712gnnzf6de20pmqsvhspw9x8437jh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments