ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Sterlingbackcheck

v1.0.0

SterlingBackcheck integration. Manage data, records, and automate workflows. Use when the user wants to interact with SterlingBackcheck data.

0· 42·0 current·0 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Skill description matches a SterlingBackcheck integration and the SKILL.md consistently describes using the Membrane CLI to access SterlingBackcheck. However, the package metadata lists no required binaries or install spec while the instructions explicitly require npm/node and the @membranehq/cli (and use npx). The missing declared dependency is an incoherence.
Instruction Scope
The instructions focus on installing Membrane CLI, logging in, creating a connection, listing actions, running actions, and proxying requests to SterlingBackcheck via Membrane. They do not instruct reading arbitrary system files, harvesting environment variables, or exfiltrating data to unrelated endpoints. Headless auth and browser-based login flows are described.
Install Mechanism
There is no formal install spec in the registry, yet the SKILL.md tells users to run 'npm install -g @membranehq/cli' and uses 'npx ...' — a public npm install is a reasonable way to get the CLI but the absence of an install spec and required-binaries declaration is inconsistent. Installing a global npm package has moderate risk (it executes third-party code); verify the package and publisher.
Credentials
The skill does not request environment variables or secrets and explicitly instructs not to ask users for API keys, relying on Membrane to manage credentials. This is proportionate. Note: using Membrane means Membrane's service will hold and use your SterlingBackcheck credentials/requests, so trust in Membrane is required.
Persistence & Privilege
The skill is not always-enabled and does not request extra platform privileges. The only persistence is via authenticating through Membrane (normal for a CLI that stores credentials/session). It does not propose modifying other skills or system-wide settings.
What to consider before installing
Before installing: verify the @membranehq/cli package and publisher on npm and confirm you trust Membrane (the CLI and Membrane service will broker access to your SterlingBackcheck data). Ask the skill author or registry maintainer to update the skill metadata to declare required binaries (node/npm, membrane) and network/Membrane-account requirements. Consider running the CLI install in an isolated environment (container/VM) if you are unsure. The skill itself does not ask for API keys (it uses Membrane), but that centralises access with Membrane — ensure that aligns with your data-governance and privacy requirements.

Like a lobster shell, security has layers — review code before you run it.

latestvk973apz8f1nr77aeb62ckzpkzd84feh8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments