ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Spiff

v1.0.0

Spiff integration. Manage data, records, and automate workflows. Use when the user wants to interact with Spiff data.

0· 24·0 current·0 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill claims to integrate with Spiff and all runtime instructions use the Membrane CLI to discover connectors, create connections, run actions, and proxy API requests — this matches the described purpose. The README suggests installing the CLI via npm which is expected for a CLI-driven integration. The registry metadata lists no required env vars or binaries, but the SKILL.md explicitly documents installing the Membrane CLI; that is a minor documentation mismatch but not a functional incoherence.
Instruction Scope
SKILL.md only instructs running the Membrane CLI, performing browser-based authentication flows, listing/connecting actions, and proxying requests to the Spiff API through Membrane. It does not instruct reading unrelated system files, harvesting environment variables, or exfiltrating data to unknown endpoints beyond the Membrane service (which is the expected proxy).
Install Mechanism
This is an instruction-only skill (no install spec). It instructs users to install @membranehq/cli via npm -g, which is a normal distribution mechanism for a CLI but does involve downloading code from the public npm registry. That is expected for this workflow but carries the usual npm install risks (verify package source and version).
Credentials
The skill declares no required environment variables or credentials and explicitly recommends letting Membrane handle auth rather than requesting API keys. The authentication flow requires the user to sign in via a browser (or complete a headless flow). No disproportionate or unrelated secrets are requested.
Persistence & Privilege
always is false and the skill does not request permanent agent presence or system-wide config changes. It relies on an external service (Membrane) to manage credentials; that external service will see proxied requests and auth tokens, which is expected behavior for this integration but worth noting.
Assessment
This skill is coherent: it relies on the Membrane CLI to talk to Spiff and intentionally avoids asking for raw API keys. Before installing: verify you trust the @membranehq/cli package and the Membrane service (check publisher, package version, and privacy/security docs at getmembrane.com), be prepared to authenticate in a browser (or complete the headless flow), and understand that data and auth tokens will be proxied through Membrane's service. Do not paste unrelated secrets into chat or CLI prompts, and confirm connector/connection IDs before running actions that modify production data.

Like a lobster shell, security has layers — review code before you run it.

latestvk979hmebfbb0sqjv774m74jzr9846f6g

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments