ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Sendbird

v1.0.2

Sendbird integration. Manage Users, Channels. Use when the user wants to interact with Sendbird data.

0· 162·0 current·0 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description say Sendbird integration and the SKILL.md consistently instructs using the Membrane CLI to discover connectors, create a Sendbird connection, and run actions or proxied requests. No unrelated services, binaries, or config paths are requested.
Instruction Scope
Instructions focus on installing and using the Membrane CLI, logging in, creating connections, listing actions, and running requests. They do not instruct reading arbitrary files, harvesting unrelated env vars, or exfiltrating data. The doc explicitly warns not to ask users for API keys and to let Membrane manage credentials.
Install Mechanism
The skill is instruction-only (no install spec), but directs users/agents to run `npm install -g @membranehq/cli` or use npx. Installing a package from the public npm registry is a reasonable instruction for this integration, but it is an action that writes software to disk and requires trusting the package maintainer (membrane).
Credentials
The skill declares no required env vars or primary credential. The instructions rely on a Membrane account (service-side credential management) rather than requesting Sendbird API keys locally, which is proportionate to the stated purpose. This shifts trust to Membrane rather than the skill requesting secrets.
Persistence & Privilege
Skill is not always-enabled and does not request elevated platform privileges or modify other skills. Autonomous invocation is allowed (platform default) but not combined with other concerning factors.
Assessment
This skill is coherent: it uses the Membrane CLI to access Sendbird rather than asking for Sendbird API keys. Before installing or running commands, verify the @membranehq/cli package and the Membrane service (npm package page, GitHub repo, and the organization) to ensure you trust them. Prefer running CLI commands in a user account you control (avoid installing global packages on shared systems), and do not share Sendbird API keys with the skill — follow the provided flow to let Membrane manage credentials. If you need an offline or self-hosted integration, confirm Membrane's data handling and storage policies first.

Like a lobster shell, security has layers — review code before you run it.

latestvk97abnqc7ctk3vrfkc8vnm2eed842xk4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments