ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Productlane

v1.0.2

Productlane integration. Manage Workspaces. Use when the user wants to interact with Productlane data.

0· 81·0 current·0 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's purpose (Productlane via Membrane) matches the instructions, but the manifest declares no required binaries or credentials while the runtime instructions explicitly require the Membrane CLI (and implicitly npm/npx and a browser for login). The manifest should have declared 'membrane' (and/or npm/npx) as required binaries or document install steps formally; their absence is an incoherence.
Instruction Scope
SKILL.md is focused: it instructs using Membrane CLI to connect to Productlane, run actions, and proxy API requests. It does not direct the agent to read arbitrary files, environment variables, or unrelated services. Proxying is limited to the Productlane connection via Membrane (auth handled server-side).
Install Mechanism
There is no formal install spec in the registry (instruction-only), but the README tells users to run 'npm install -g @membranehq/cli' or use npx. Installing from the public npm registry is standard, but because installation is recommended rather than declared in metadata, the operational expectation is inconsistent. This is moderate risk only if you don't verify the npm package/source.
Credentials
The skill requests no environment variables or secrets in the manifest and the instructions explicitly advise against asking for API keys, relying on Membrane to manage credentials. That is proportionate for a connector-based integration.
Persistence & Privilege
always is false and there are no requested config paths or claims to modify other skills or system settings. The skill is instruction-only and does not request permanent elevated presence.
What to consider before installing
Before installing or using this skill: (1) Understand that it expects the Membrane CLI (and implicitly npm or npx) even though the registry metadata lists no required binaries — make sure your environment can run these commands. (2) Verify the @membranehq/cli npm package and the Membrane service (https://getmembrane.com and the package page) so you trust the source and OAuth scopes requested during browser login. (3) Be aware that authenticating will grant Membrane access to your Productlane account — review the scopes and revoke access if needed. (4) Prefer using npx for one-off runs if you want to avoid a global install, and confirm whether the agent/runtime that will execute this skill is allowed to run shell commands and open browser auth flows. (5) If you need certainty about metadata, ask the publisher to update the registry entry to declare required binaries (membrane, npm/npx) and any other runtime expectations.

Like a lobster shell, security has layers — review code before you run it.

latestvk9739txgddy4tp7rf51dpktq198424qv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments