ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Release

v1.0.0

Release integration. Manage data, records, and automate workflows. Use when the user wants to interact with Release data.

0· 21·0 current·0 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description match the instructions: the skill is an integration that uses the Membrane platform/CLI to interact with Release data. Nothing requested (no env vars, no unrelated binaries) is out of scope for that purpose.
Instruction Scope
SKILL.md confines runtime actions to installing/using the Membrane CLI, creating/listing connections, running pre-built actions, and proxying requests through Membrane. It does not instruct reading unrelated local files or asking for external secrets; it explicitly recommends not collecting API keys.
Install Mechanism
The skill is instruction-only (no registry install spec), but instructs the user to run `npm install -g @membranehq/cli` or use `npx`. Installing a global npm package is a standard but moderately privileged action (code is downloaded from the npm registry), so users should confirm the package name/publisher before installing.
Credentials
No environment variables or credentials are requested by the skill. Authentication is delegated to Membrane's login flow, which is consistent with the stated design and reduces local secret handling.
Persistence & Privilege
The skill does not request always: true or any special privileges. It is user-invocable and can be invoked autonomously by the agent (platform default), which is expected for an integration skill. There is no indication it modifies other skills or system-wide settings.
Assessment
This skill appears to be what it claims: a Membrane-based integration for Release. Things to consider before installing/using it: 1) Verify the npm package (@membranehq/cli) and its publisher before running `npm install -g` (or use `npx` to avoid a global install). 2) Expect a browser-based OAuth flow for Membrane login; use a browser you trust and avoid pasting secrets into prompts. 3) The skill lets the CLI proxy arbitrary API calls through your Membrane connection — only connect accounts/services you trust and review what actions the agent requests. 4) If you need stricter isolation, run the CLI in a sandbox/container or use an account with limited permissions. 5) If you want extra assurance, check Membrane's privacy/security docs and the upstream repository referenced in SKILL.md before proceeding.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bsf2jzbcbm3ef55jkbnpran846wwm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments