ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Overloop

v1.0.2

Overloop integration. Manage Organizations, Pipelines, Users, Goals, Filters. Use when the user wants to interact with Overloop data.

0· 80·0 current·0 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description claim an Overloop integration and the instructions exclusively use the Membrane CLI to perform connector discovery, actions, and proxied API requests — that is proportionate. However the SKILL.md's 'Official docs' link points to Salesloft (different product), which looks like a copy/paste or documentation error and reduces confidence in the package's attention to detail.
Instruction Scope
Instructions are narrowly scoped to installing and using the Membrane CLI, creating connections, listing actions, running actions, and proxying requests. They do not instruct reading arbitrary local files or env vars. Note: proxying requests via Membrane means your API calls and credentials are handled by Membrane's service — this has privacy/third‑party exposure implications even if functionally expected.
Install Mechanism
This is an instruction‑only skill (no install spec in registry), but SKILL.md instructs installing @membranehq/cli via npm -g. Installing a global npm CLI is a legitimate step but introduces the usual supply‑chain considerations (verify package identity/version and trust the npm package owner).
Credentials
The skill declares no required env vars and the SKILL.md explicitly instructs not to ask users for API keys, relying on Membrane to manage auth. That is proportionate to the stated purpose, but it does centralize credentials/trust in Membrane's service.
Persistence & Privilege
No persistent/always privilege requested (always:false). The skill is user‑invocable and instruction‑only; it does not request systemwide configs or other skills' credentials.
What to consider before installing
This skill appears to be what it says: it uses the Membrane CLI to access Overloop connectors and APIs. Before installing: 1) note that it requires installing @membranehq/cli (global npm install) — verify the npm package and use npx if you prefer not to install globally; 2) understand Membrane will broker authentication and proxy your API requests (you are trusting their service with credentials and proxied request content); 3) verify the Overloop connector actually exists in your Membrane tenant; 4) the SKILL.md contains an incorrect 'Official docs' link to Salesloft — treat that as a documentation error and, if concerned, confirm the correct API docs and repository links (the SKILL.md lists a Membrane GitHub repo). If you need stronger assurance, request a skill with an explicit registry source, repo tag/commit, or review the Membrane CLI package contents before use.

Like a lobster shell, security has layers — review code before you run it.

latestvk9745948xjjrjj3xqkkw0yw0rn843ta6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments