ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Spiritme

v1.0.0

SpiritMe integration. Manage data, records, and automate workflows. Use when the user wants to interact with SpiritMe data.

0· 20·0 current·0 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the SKILL.md: the skill delegates SpiritMe interactions to the Membrane platform and CLI. Requesting network access and the Membrane CLI is consistent with that stated purpose; no unrelated credentials or system access are requested.
Instruction Scope
Runtime instructions only direct the agent to install and use the Membrane CLI, run lookup/connect/action/request commands, and follow browser-based auth flows. The instructions do not ask the agent to read arbitrary files, exfiltrate environment variables, or contact unexpected endpoints beyond Membrane/SpiritMe.
Install Mechanism
This is an instruction-only skill (no install spec), but the SKILL.md tells users to install a global npm package (@membranehq/cli). Installing a third-party npm CLI is a normal choice for a CLI-based integration but does introduce the usual supply-chain considerations (npm package provenance, global install effects).
Credentials
The skill declares no required environment variables or secrets. It explicitly instructs to let Membrane handle credentials and not to ask users for API keys, which is proportional to the stated function.
Persistence & Privilege
The skill does not request always:true or any elevated platform persistence. It is user-invocable and allows normal autonomous invocation (platform default), which is not excessive here.
Assessment
This skill is coherent: it uses the Membrane CLI to proxy SpiritMe API calls and does not ask for local secrets. Before installing or running commands, confirm you trust the Membrane project (@membranehq) and the npm package (review its repository, maintainers, and recent activity). Be aware that Membrane will handle authentication and therefore will be able to make API calls on your behalf to SpiritMe — only proceed if you are comfortable granting that access. If you prefer tighter control, verify the exact npm package version to install (avoid blindly running global installs of unpinned @latest) and review Membrane's privacy/security docs and the SpiritMe connector implementation in the referenced repository.

Like a lobster shell, security has layers — review code before you run it.

latestvk97djp77c9dy2rmyx24m6xdvs1847qd8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments