Starton
v1.0.2Starton integration. Manage Projects, Users, Roles. Use when the user wants to interact with Starton data.
⭐ 0· 103·0 current·0 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The skill claims to integrate with Starton via Membrane and its instructions consistently show how to discover and run Starton actions through the Membrane CLI and proxy. Minor inconsistency: registry metadata lists no required binaries, but SKILL.md explicitly instructs the user to install the 'membrane' CLI (npm install -g @membranehq/cli). This is plausibly an oversight rather than malicious.
Instruction Scope
SKILL.md restricts runtime behavior to installing/using the Membrane CLI, logging in, creating connections, listing actions, running actions, and proxying requests to the Starton API. It does not instruct reading unrelated files, harvesting environment variables, or exfiltrating data to third-party endpoints outside Membrane/Starton.
Install Mechanism
There is no install spec in the registry (instruction-only). The SKILL.md tells users to run 'npm install -g @membranehq/cli' (and proposes npx for ad-hoc commands). Installing a global npm package is a legitimate but higher-friction action; it is not performed automatically by the skill. This is moderate-risk operationally (global installs can require elevated privileges), but not suspicious in context.
Credentials
The skill declares no required environment variables or keys and explicitly instructs not to ask users for API keys (it relies on Membrane-managed connections). That is proportionate for a connector that delegates auth to a central service.
Persistence & Privilege
The skill is not forced-always, does not request elevated persistence, and contains no instructions to modify other skills or system-wide settings. Autonomous invocation is permitted (platform default) but not combined with other red flags.
Assessment
This skill appears coherent and implements Starton access through the Membrane CLI. Before installing or using it: 1) Verify you trust Membrane (getmembrane.com / @membranehq package) since connections and credentials are managed server-side; understand what permissions a connection grants to Membrane. 2) Prefer using npx for one-off commands if you want to avoid a global npm install; global installs can require elevated privileges. 3) When creating a connection, complete auth only via official browser flows and review what account or API access you're granting. 4) Be cautious when using 'membrane request' to proxy arbitrary paths—raw requests may send sensitive data to the target API. 5) Note the minor metadata omission: the SKILL.md expects the 'membrane' CLI even though the registry's required-binaries field is empty; ensure the CLI is present before invoking the skill.Like a lobster shell, security has layers — review code before you run it.
latestvk97e5mywgy8629rw3grehvndcx843yyz
License
MIT-0
Free to use, modify, and redistribute. No attribution required.