ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Sitecore

v1.0.0

Sitecore integration. Manage data, records, and automate workflows. Use when the user wants to interact with Sitecore data.

0· 49·0 current·0 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (Sitecore integration) matches the instructions, which direct the agent to use the Membrane CLI to create a connector, run actions, and proxy API requests to Sitecore. Network access and a Membrane account are appropriate and expected.
Instruction Scope
Instructions stay within the integration scope (install CLI, login via browser, create/connect connector, list and run actions, proxy requests). One important operational note: any JSON or request body you pass via the CLI (e.g., --input or --data) will be sent to Membrane and then to Sitecore — so the CLI commands can transmit user content to Membrane's servers. The SKILL.md does not instruct reading unrelated files, environment variables, or local secrets.
Install Mechanism
The registry contains no formal install spec, but SKILL.md instructs installing @membranehq/cli via npm (global). Installing a published npm CLI is a common pattern, but global npm installs run package install scripts and modify system PATH; you should verify the package identity (author, versions) and trustworthiness before installing globally.
Credentials
The skill declares no required environment variables or credentials and explicitly recommends using Membrane to manage credentials server-side. There are no requests for unrelated secrets or system credentials.
Persistence & Privilege
The skill is not forced-always and uses normal autonomous-invocation defaults. It does not request persistent system-wide privileges or modify other skills. Note: as with any networked skill, an agent invoking these instructions can cause data to be sent to the external Membrane service when commands are executed.
Assessment
This skill appears coherent, but before installing or using it: 1) Verify and trust the @membranehq/cli npm package and its publisher (review the package on npm/GitHub and confirm the repo matches the vendor). 2) Remember that any data you pass to the CLI (input, request bodies, query parameters) will be transmitted to Membrane and then to Sitecore — avoid sending sensitive secrets or PII unless you're certain of policy and consent. 3) Prefer testing the CLI in an isolated environment or container (rather than installing globally) if you want to limit system impact. 4) If your organization restricts third-party SaaS or proxies, confirm that using Membrane is allowed. 5) If you need higher assurance, ask the skill author for the exact connector implementation or an official vendor link for the Membrane connector used.

Like a lobster shell, security has layers — review code before you run it.

latestvk971b4xvgrrjp8x1e2r3bmfdxh849112

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments