ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Process Street

v1.0.2

Process Street integration. Manage Organizations, Integrations. Use when the user wants to interact with Process Street data.

0· 91·1 current·1 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the instructions: the SKILL.md documents using the Membrane CLI to connect to Process Street, discover actions, run actions, and proxy API requests. No unrelated services, env vars, or binaries are requested.
Instruction Scope
Runtime instructions are limited to installing and using the Membrane CLI, creating connections, listing actions, running actions, and proxying requests to Process Street. The instructions do not ask the agent to read arbitrary files, exfiltrate local environment variables, or access unrelated system paths.
Install Mechanism
Installation is via npm (-g @membranehq/cli). This is expected for a CLI-based integration but has the usual supply-chain considerations of installing a global npm package (requires privileges and trusts the package author). There is no direct download from arbitrary URLs or extracted archives.
Credentials
The skill declares no required env vars or secrets. Authentication is delegated to Membrane (browser-based OAuth flow), which is proportionate for a connector-based integration. The SKILL.md explicitly advises not to ask users for API keys.
Persistence & Privilege
Skill is instruction-only, has no install script that writes to disk, and does not request always:true or other elevated persistence. It does not modify other skills or system-wide settings.
Assessment
This skill appears to do what it claims: it uses the Membrane CLI to talk to Process Street and does not request unrelated credentials. Before installing: (1) confirm you trust the @membranehq npm package (review its npm page/repo and recent releases), (2) be comfortable with the Membrane service acting as a proxy (Membrane will see API requests and responses for your Process Street account), and (3) note that installing a global npm CLI requires write permission to system locations. If you need stricter control, verify the package source or run the CLI in an isolated environment/container.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bxbmb11q846mkswdtjnh50584292m

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments