ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Storyous

v1.0.0

Storyous integration. Manage data, records, and automate workflows. Use when the user wants to interact with Storyous data.

0· 24·0 current·0 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md describes a Storyous integration that operates via the Membrane CLI (network access and a Membrane account are required). However, the registry metadata declares no required binaries or credentials. That omission is an inconsistency: the skill implicitly requires the @membranehq/cli and network/auth but does not list them in the manifest.
Instruction Scope
Runtime instructions are narrowly scoped to using the Membrane CLI to discover actions, run actions, and proxy requests to the Storyous API. They do not ask the agent to read unrelated local files or extra environment variables. The only operational caveat is that the instructions recommend installing a global npm CLI and performing browser-based authentication (which grants Membrane access to Storyous on the user's behalf).
!
Install Mechanism
There is no install spec in the registry, yet SKILL.md instructs the user to run `npm install -g @membranehq/cli`. That global install step is not declared in metadata and will write binaries to disk. Because installation is left to instructions rather than declared in the manifest, the skill's install expectations are incomplete and may surprise users.
Credentials
The skill does not request local environment variables or secrets in its manifest and explicitly advises not to ask users for API keys, relying instead on Membrane to manage credentials. This is proportionate to the stated purpose. Note: using Membrane means delegating Storyous credentials and request proxying to an external service.
Persistence & Privilege
The skill is not forced-always, does not request to modify other skills, and does not claim persistent elevated privileges. Autonomous invocation is allowed (platform default) but not combined with any other high-risk indicator here.
What to consider before installing
This skill is an instruction-only integration that expects you to install and run the Membrane CLI and to sign in from a browser so Membrane can proxy requests to Storyous. Before installing or running anything: 1) Confirm you are comfortable granting Membrane (getmembrane.com) access to your Storyous account — that service will see and act on your data. 2) Be aware the SKILL.md asks you to run `npm install -g @membranehq/cli` (global install) but the registry metadata did not list this requirement — treat that omission as a red flag and prefer to inspect the CLI source (npm package / GitHub) before installing. 3) If you want tighter control, ask the skill publisher why the manifest omits required binaries and network/account requirements and request an updated manifest that declares them. 4) If you proceed, run the CLI and authentication steps manually (not via an automated agent) so you can review browser permissions and scopes. 5) If you have sensitive data or strict compliance needs, verify Membrane's privacy/security docs and the connector's scopes, or avoid granting third-party proxy access.

Like a lobster shell, security has layers — review code before you run it.

latestvk978768vdr8kx6k4spxna5v26s845y1s

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments