ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Slack

v1.0.7

Slack integration. Manage communication data, records, and workflows. Use when the user wants to interact with Slack data.

0· 394·3 current·3 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description match the instructions: it integrates Slack via the Membrane CLI. There are no unexpected credentials, binaries, or unrelated system access requested.
Instruction Scope
SKILL.md only directs use of the Membrane CLI to create connections, list actions, run actions, and optionally proxy Slack API calls. It does not instruct reading unrelated files or harvesting local credentials. It does require network access and a Membrane account (explicitly documented).
Install Mechanism
This is an instruction-only skill, but the documentation tells users/agents to run `npm install -g @membranehq/cli` to install the Membrane CLI from the public npm registry. Using npm is common and expected for this workflow; it is a moderate-risk install mechanism compared with no installs, so verify the package (publisher, npm page, checksum) before installing globally.
Credentials
No environment variables or local credentials are requested by the skill. Instead it relies on Membrane to manage Slack auth server-side via a Membrane account/connection. This is proportionate, but note that granting a connection gives Membrane (and the CLI) the ability to act on your Slack workspace and see its data.
Persistence & Privilege
The skill does not request always: true and does not modify other skills or system-wide settings. Autonomous invocation is allowed (platform default); that means the agent could run Membrane CLI commands (including actions that change Slack state) if the user has created a connection.
Assessment
This skill appears to do what it says: integrate Slack using Membrane. Before installing or using it: 1) verify the @membranehq/cli package on npm and the Membrane project (publisher, repo, recent activity) before running a global install; 2) be aware that creating a Slack connection grants Membrane/its CLI access to your workspace (messages, files, ability to post/delete), so review requested OAuth scopes; 3) do not supply Slack API keys locally—follow the documented connection flow; 4) if you allow the agent to run autonomously, it could perform actions in Slack (post/delete), so restrict invocation or review commands/results when necessary; and 5) if you need higher assurance, test in a sandbox Slack workspace and inspect Membrane's privacy/security documentation and terms before connecting production data.

Like a lobster shell, security has layers — review code before you run it.

latestvk977a0kfwry2kvhrkeg86a8g2s843qc1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments