Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Tookan
v1.0.0Tookan integration. Manage data, records, and automate workflows. Use when the user wants to interact with Tookan data.
⭐ 0· 23·0 current·0 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name/description say 'Tookan integration' and SKILL.md explicitly states it 'Requires network access and a valid Membrane account', but the skill metadata lists no required environment variables or primary credential. A Tookan integration normally needs service credentials (Tookan API key) or a platform-level credential; the metadata failing to declare where auth comes from is an inconsistency. The skill's source is 'unknown' which increases the risk of misattribution.
Instruction Scope
SKILL.md is an instruction-only file describing Tookan entities and usage. From the provided excerpt there are no instructions that read local files, environment variables, or system paths unrelated to the integration. However the instructions reference needing a Membrane account but do not explain how credentials are supplied or where network calls will be sent (direct to Tookan API vs through Membrane), leaving an incomplete runtime picture.
Install Mechanism
No install spec and no code files are present (instruction-only). This is lower risk because nothing will be written or executed on disk by the skill itself.
Credentials
No environment variables or credentials are declared, yet the SKILL.md explicitly requires a Membrane account and implies access to Tookan data. Either the platform (Membrane) supplies credentials implicitly (which should be documented) or the skill is missing required credential declarations (Tookan API key, Membrane token). The omission makes it unclear how authentication and access to user Tookan data will be handled.
Persistence & Privilege
always:false and normal agent invocation settings. The skill does not request permanent presence or elevated privileges; it does not declare modifying other skills or system-wide settings.
What to consider before installing
This is an instruction-only Tookan integration that says it needs network access and a Membrane account but the package metadata does not declare any credentials or how authentication is handled. Before installing or enabling it:
- Ask the publisher how authentication works: does the platform (Membrane) handle Tookan API keys for you, or will you need to supply a Tookan API key somewhere? If credentials are required, confirm where they are stored and whether they stay private.
- Verify the skill owner and repository (the package lists a public homepage but the 'source' is unknown). Prefer skills from known/trusted owners or official connectors.
- Review privacy and data handling: what Tookan data will the skill read or modify and where will it be transmitted? Confirm that calls go to official Tookan endpoints or through the documented Membrane service.
- If you proceed, test with a least-privilege account or sandbox Tookan data to limit exposure.
I have medium confidence in this assessment; providing the full SKILL.md (untruncated) or clarification from the publisher about authentication would raise confidence and could move the verdict to benign if the auth model is clearly platform-handled and documented.Like a lobster shell, security has layers — review code before you run it.
latestvk971qh7k13zert85des5mt6gc9847fpp
License
MIT-0
Free to use, modify, and redistribute. No attribution required.