ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Stripe Treasury

v1.0.0

Stripe Treasury integration. Manage data, records, and automate workflows. Use when the user wants to interact with Stripe Treasury data.

0· 47·0 current·0 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (Stripe Treasury integration) matches the actions in SKILL.md: it instructs use of the Membrane CLI to create connections, list actions, run actions, and proxy requests to Stripe Treasury. No unrelated credentials, binaries, or capabilities are requested.
Instruction Scope
SKILL.md stays on-topic: it tells the agent to install/use the Membrane CLI, run login/connect/list/action/request commands, and use Membrane as a proxy. It does not instruct reading unrelated system files or environment variables, nor sending data to unexpected endpoints beyond Membrane/Stripe.
Install Mechanism
The registry contains no install spec (instruction-only), but SKILL.md tells users to run `npm install -g @membranehq/cli`. That is a reasonable, low-risk instruction (public npm package) but the lack of an explicit install spec means installation behavior is not enforced or sandboxed by the skill metadata—verify the package author and version before installing globally.
Credentials
The skill declares no required env vars or primary credential. It intentionally delegates credential management to Membrane (SKILL.md explicitly advises creating connections rather than pasting API keys), which is coherent with its design. Users should understand that using this skill gives Membrane (the operator of the CLI/service) delegated access to Stripe on their behalf.
Persistence & Privilege
always:false (default) and model invocation is allowed (default) — expected for an optional integration. The skill does not request persistent system-wide changes or access to other skills' configs.
Assessment
This skill appears coherent, but before installing or using it: (1) confirm you trust Membrane (@membranehq) because the CLI/proxy will hold/manage Stripe credentials on your behalf; review Membrane's security/privacy docs and the npm package and GitHub repo provenance; (2) prefer installing the CLI in a controlled environment (avoid global install on sensitive systems) or use a pinned version; (3) when running membrane commands, inspect outputs and connection IDs before sharing them; (4) if you require organization-level control, use org-managed Stripe/Membrane accounts and least-privilege connections; and (5) if you need higher assurance, ask the publisher to provide an explicit install spec and signed release artifacts or verify the package checksum.

Like a lobster shell, security has layers — review code before you run it.

latestvk975p3cxac33024qs8qvdgcak184efnj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments