ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Semaphore

v1.0.2

Semaphore integration. Manage Organizations. Use when the user wants to interact with Semaphore data.

0· 97·0 current·0 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (Semaphore integration) matches the instructions: discovering connectors, creating connections, running actions, and proxying requests to Semaphore via the Membrane CLI.
Instruction Scope
Instructions ask the operator/agent to install and use the Membrane CLI, run login flows, list/connect actions, and use membrane request to proxy arbitrary Semaphore API calls. This is coherent with the stated purpose but means API requests and credentials are mediated by the Membrane service — users should be aware that request payloads and metadata will transit Membrane.
Install Mechanism
No automated install spec in the registry (instruction-only), but SKILL.md instructs installing @membranehq/cli via npm (-g). Installing a global npm package is a normal user step but has moderate risk if the npm package is untrusted; the skill does not automatically download or execute code itself.
Credentials
The skill declares no required env vars, no credentials, and no config paths. All credential handling is delegated to Membrane as described, which matches the stated guidance to create connections rather than ask for API keys locally.
Persistence & Privilege
The skill is not always-enabled and does not request persistent elevated privileges or to modify other skills or system-wide agent settings. It is an instruction-only integration that relies on a user-installed CLI.
Assessment
This skill appears to do what it says: it uses the Membrane CLI to manage Semaphore connections and actions. Before installing or using it: 1) Confirm you trust Membrane (getmembrane.com/@membranehq) because API calls and auth will flow through their service. 2) Inspect the @membranehq/cli npm package (package page, maintainers, recent releases) before running npm install -g. 3) Prefer testing in a non-production account or sandbox first to see what data is proxied. 4) Do not paste secrets into chat; if you prefer not to route requests through a third party, consider using Semaphore's official API directly with appropriately scoped tokens.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dmfsy1r16f3825qcwf2vgsd842ta0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments