Pumble
v1.0.2Pumble integration. Manage Workspaces. Use when the user wants to interact with Pumble data.
⭐ 0· 88·0 current·0 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The SKILL.md describes a Pumble integration implemented via the Membrane CLI which matches the skill name/description. However the registry metadata declares no required binaries or credentials, while the instructions explicitly require network access, a Membrane account, and installing the @membranehq/cli — a small metadata omission that should be corrected.
Instruction Scope
Instructions stay within the stated scope: they tell the agent/operator how to install and use the Membrane CLI to discover connectors, create connections, run actions, or proxy requests to Pumble. There are no instructions to read arbitrary local files, harvest unrelated credentials, or send data to unexpected endpoints.
Install Mechanism
The install guidance is an npm global install (npm install -g @membranehq/cli) and suggestions to use npx. Installing a global npm package is a common but moderately privileged operation (it runs third-party code on the host). The npm source (@membranehq/cli) appears reasonable for the stated purpose, but users should verify the package and trust the publisher before installing.
Credentials
No environment variables or secrets are declared in the registry metadata, and the SKILL.md explicitly recommends using Membrane connections rather than asking for API keys. However SKILL.md does require a valid Membrane account (and browser-based auth), which is not declared in the skill's required fields — a minor inconsistency but not disproportionate.
Persistence & Privilege
The skill is not always-enabled and does not request persistent system privileges. It's an instruction-only skill; it does not install background services itself. The default platform ability for autonomous invocation is unchanged (disable-model-invocation: false), which is normal — no additional persistence or privilege escalation is requested.
Assessment
This skill appears to do what it says: it uses the Membrane CLI to connect to Pumble. Before installing/using it, consider: (1) The SKILL.md requires installing a global npm package (@membranehq/cli) and a Membrane account — the registry metadata did not list these requirements, so be prepared to grant those at use-time. (2) Installing global npm packages runs third-party code on your machine — review the package (npm page, GitHub, publisher) and ensure you trust membranehq. (3) The CLI opens a browser for interactive login (or prints a code for headless flows); be mindful of where you paste/login. (4) If you allow the agent to invoke skills autonomously, it may run CLI commands that perform network requests under your Membrane account — only enable autonomous use if you trust the publisher and workflow. (5) If you need stronger assurance, ask the publisher for updated registry metadata that declares required binaries/credentials and a link to the exact npm package/release you should install.Like a lobster shell, security has layers — review code before you run it.
latestvk978tg7d0r33g1wjnk7m7y56m58423dx
License
MIT-0
Free to use, modify, and redistribute. No attribution required.