ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Respondio

v1.0.2

Respond.io integration. Manage Organizations. Use when the user wants to interact with Respond.io data.

0· 148·0 current·0 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (Respond.io integration) matches the SKILL.md: it uses Membrane as a proxy to interact with Respond.io and documents commands for listing/connecting/running actions. The declared requirement of a Membrane account and network access is consistent and expected.
Instruction Scope
Runtime instructions are limited to installing/using the Membrane CLI, performing login via browser, creating connections, listing actions, running actions, and proxying requests through Membrane. The doc explicitly advises against asking users for API keys and does not instruct reading unrelated files, environment variables, or sending data to unexpected endpoints.
Install Mechanism
There is no install spec in the registry; the SKILL.md tells the user to run `npm install -g @membranehq/cli` (or use npx). Installing a global npm package is a common pattern but carries the usual supply-chain risks of npm packages; this is expected for a CLI-based integration but you should verify the package (publisher, npm page) before installing.
Credentials
The skill declares no required environment variables or credentials. The instructions rely on Membrane to manage authentication server-side and explicitly recommend creating a connection rather than collecting API keys locally — this is proportionate to the stated purpose.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system-wide settings, and has no install-time actions in the registry. Autonomous invocation is allowed by default (disable-model-invocation=false) which is normal for skills and reasonable here given the CLI-based workflow.
Assessment
This skill appears to do what it says: it delegates auth and API calls to the Membrane platform and instructs you to install and use the Membrane CLI. Before installing or using it: (1) verify the @membranehq/cli package and publisher on npm/GitHub to ensure you're installing the official CLI; (2) review the scopes/permissions when authorizing Respond.io via Membrane and only grant what you trust; (3) prefer browser-based login flows as instructed (don't paste API keys into chat); (4) be aware installing a global npm CLI runs code on your machine — uninstall if you stop using the integration. If you want extra assurance, ask the skill author for the exact npm package URL and the Membrane docs page referenced in SKILL.md.

Like a lobster shell, security has layers — review code before you run it.

latestvk97339hdkd2c6vfaybczecpyph843z76

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments