ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Spaycial

v1.0.2

Spaycial integration. Manage data, records, and automate workflows. Use when the user wants to interact with Spaycial data.

0· 72·0 current·0 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (Spaycial integration) aligns with an instruction-only skill that requires network access. However the SKILL.md's metadata says a 'Membrane account' is required but the skill declares no primary credential or required environment variables; that could be legitimate (OAuth/web-based auth) but is a mismatch worth checking.
!
Instruction Scope
Only an excerpt of SKILL.md was provided but the file is very long and appears generic. The visible instructions state 'Requires network access and a valid Membrane account' but do not show explicit auth flows, which makes runtime behavior ambiguous — it's unclear what data the agent will collect, where tokens are stored, or what external endpoints will receive user data.
Install Mechanism
No install spec and no code files — lowest-risk delivery model. Nothing is written to disk by an installer according to the provided metadata.
Credentials
The skill requests no environment variables or credentials in the manifest but the SKILL.md requires a Membrane account. Absence of declared credentials is plausible if auth is interactive/OAuth, but you should confirm how authentication is performed and whether tokens or secrets will be requested or stored.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request permanent inclusion or other privileges in the provided metadata.
What to consider before installing
This skill is instruction-only and claims to integrate Spaycial via Membrane, but the SKILL.md is vague about authentication and data flows. Before installing: (1) ask the publisher how authentication works (OAuth browser flow or API key?), where credentials are stored, and whether you must paste tokens; (2) verify which external endpoints will receive data (getmembrane.com vs spaycial.com) and that they are trusted; (3) request a full copy of SKILL.md or runtime steps so you can confirm the agent won’t read unrelated local files or environment variables; (4) prefer skills that declare required credentials (e.g., MEMBRANE_API_KEY) or clearly describe the auth flow. If the publisher cannot answer these, treat the skill with caution and avoid granting any secrets.

Like a lobster shell, security has layers — review code before you run it.

latestvk973p1ejhvm96y800h80nvn48d842g06

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments