ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Sapling

v1.0.0

Sapling integration. Manage data, records, and automate workflows. Use when the user wants to interact with Sapling data.

0· 26·0 current·0 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill declares Sapling integration and all runtime instructions center on installing and using the Membrane CLI to connect to Sapling and run actions. Asking the user to have a Membrane account and to run membrane commands is coherent with the stated purpose.
Instruction Scope
SKILL.md only instructs installing and using the Membrane CLI, creating connections, listing actions, running actions, and proxying requests to Sapling via Membrane. It does not direct the agent to read unrelated files, ask for unrelated credentials, or transmit data to unexpected endpoints beyond Membrane/Sapling.
Install Mechanism
The skill is instruction-only (no install spec), but it tells users/agents to run `npm install -g @membranehq/cli` or `npx ...`. Installing or invoking third-party CLI packages is expected for this integration, but global npm installs have usual supply-chain and system-impact risks—verify the @membranehq package and prefer ephemeral or containerized installs if you require stricter controls.
Credentials
The skill declares no required environment variables or local config paths. It relies on Membrane to handle authentication via browser-based login flows, which is proportionate to its purpose. There are no hidden requests for unrelated credentials.
Persistence & Privilege
The skill does not request always:true or elevated persistence, and it is user-invocable with normal autonomous invocation allowed. It does not instruct modification of other skills or system-wide agent settings.
Assessment
This skill is coherent: it uses the Membrane CLI as a proxy to Sapling and asks you to authenticate via Membrane (browser login). Before installing or using it, verify the @membranehq CLI package and the publisher (https://getmembrane.com), and review Membrane's privacy/security docs because traffic to Sapling will be proxied through their service. Prefer ephemeral or containerized installs over global npm -g installs in sensitive environments. Limit the Membrane connection's permissions to least privilege, and confirm your organization's policies for granting third-party access to HR data.

Like a lobster shell, security has layers — review code before you run it.

latestvk979cf2f58m5tv60685vr7ng45848r0k

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments