ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pushpay

v1.0.0

Pushpay integration. Manage data, records, and automate workflows. Use when the user wants to interact with Pushpay data.

0· 41·0 current·0 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description (Pushpay integration) align with the instructions: all runtime steps call the Membrane CLI to discover connectors, create a Pushpay connection, run actions, or proxy requests to the Pushpay API. There are no unrelated required env vars, binaries, or config paths.
Instruction Scope
SKILL.md limits runtime activity to installing/using the Membrane CLI, authenticating via browser, listing/connecting to Pushpay connectors, running actions, and proxying API requests. It does not instruct reading arbitrary local files or collecting unrelated system data.
Install Mechanism
The skill is instruction-only (no registry install spec) but instructs the user to run 'npm install -g @membranehq/cli' or use npx. Installing/executing npm packages is a moderate-risk operation because packages run code on the machine. This is expected for a CLI-based integration but the user should verify the npm package and project origin before installing globally.
Credentials
The skill requests no environment variables or local credentials. Authentication is delegated to the Membrane service. Note: trusting Membrane means the service (not the skill) will hold and refresh Pushpay credentials and will proxy API requests — the user should be comfortable with that trust boundary.
Persistence & Privilege
The skill does not request 'always' presence and uses normal, user-invoked CLI flows. It does not ask to modify other skills or system-wide agent settings.
Assessment
Before installing or using this skill: 1) Verify the @membranehq/cli package and the referenced GitHub repository (check publisher, recent commits, and issues) because npm packages execute code on your machine. 2) Understand that Membrane will store and proxy Pushpay credentials — if you grant a connection, Membrane can access your Pushpay data; review their privacy/security policies and limit the account permissions used for the connector. 3) Prefer running the CLI in a controlled environment (container or non-root user), and consider using npx with a pinned version rather than a global install. 4) When running actions that modify data, inspect the action id/input schema and the CLI output before confirming destructive operations. If you cannot verify the CLI package or do not trust the external service, do not install or use the skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk974njyfc4q0wy4frjmem9s4k984ggvw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments