ClawHub

Tradeshift

v1.0.0

Tradeshift integration. Manage data, records, and automate workflows. Use when the user wants to interact with Tradeshift data.

0· 52·0 current·0 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill is an integration for Tradeshift and consistently instructs use of the Membrane CLI/proxy for actions and authentication. One minor mismatch: the registry metadata declares no required binaries, but the SKILL.md tells users to install the @membranehq/cli (npm), which implies Node/npm are needed. This is a documentation/metadata inconsistency but not a functional mismatch with the stated purpose.
Instruction Scope
SKILL.md only instructs installing/using the Membrane CLI, logging into Membrane, creating connections, listing/running actions, and proxying API requests to Tradeshift. It does not ask the agent to read unrelated files, request unrelated credentials, or transmit data to unexpected endpoints. It explicitly recommends letting Membrane manage credentials.
Install Mechanism
There is no automated install spec in the package; the instructions recommend a user-run global npm install of @membranehq/cli (public npm). Installing a global npm package can execute code on the machine and requires trusting the package/maintainer. This is a moderate, expected risk for CLI-based integrations.
Credentials
The skill declares no required environment variables or credentials and relies on Membrane to handle Tradeshift auth server-side. That is proportionate to the skill's purpose. Be aware that using Membrane means Membrane (their servers) will hold and use your Tradeshift credentials/tokens.
Persistence & Privilege
The skill does not request elevated persistence (always:false) and does not modify other skills or system-wide settings. Model invocation is allowed (platform default), which is normal for skills.
Assessment
This skill appears to do what it says: it uses Membrane as a broker to talk to Tradeshift and avoids asking users for raw API keys. Before installing or using it: 1) Confirm you trust Membrane (getmembrane.com / @membranehq on npm) because Membrane will hold and proxy your Tradeshift credentials and can see data passing through; 2) Verify the @membranehq/cli npm package (owner, recent versions, audit) before globally installing — global npm installs run code on your machine; 3) If you prefer to avoid global installs or exposing credentials to a third party, consider using Tradeshift’s official APIs directly or run the CLI in an isolated environment; 4) Note the metadata omission (no declared required binaries) — ensure Node/npm are available if you plan to follow the SKILL.md steps.

Like a lobster shell, security has layers — review code before you run it.

latestvk978jjf6zv2de9ss67vmbav9fn84cbc6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments