ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Unbox

v1.0.0

Unbox integration. Manage data, records, and automate workflows. Use when the user wants to interact with Unbox data.

0· 39·0 current·0 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill claims to integrate with Unbox and all runtime instructions revolve around using the Membrane CLI to discover connectors, create connections, run actions, and proxy API requests — this aligns with the stated purpose. Minor inconsistency: the 'Official docs' link points to Apple ARKit (developer.apple.com/documentation/arkit), which is unrelated and appears to be a copy/paste error; not fatal but worth verifying.
Instruction Scope
SKILL.md instructs the agent/operator to install and run the Membrane CLI, perform interactive login, create connections, list actions, run actions, and proxy requests. All referenced commands and data (connectionId, actionId, input JSON) are within the Unbox-integration scope; instructions do not ask the agent to read arbitrary local files or unrelated environment variables.
Install Mechanism
There is no registry install spec, but the runtime instructions recommend installing @membranehq/cli from npm (npm install -g @membranehq/cli) or using npx. Using a public npm package is expected for this integration but carries the usual risks of installing code from a public registry; prefer npx or review the package/owner before global install.
Credentials
The skill declares no required environment variables or credentials; it relies on Membrane to handle auth via an interactive login and connector flows. This is proportionate to the stated functionality and avoids asking for unrelated secrets.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and has no install-time hooks in the registry metadata. Autonomous invocation is allowed by default but that is normal; the skill itself does not request elevated persistent privileges.
Assessment
This skill appears to do what it says: it uses the Membrane CLI to connect to Unbox and run actions. Before installing or running anything: (1) verify the npm package @membranehq/cli is the official Membrane package and review its README and publisher account on the npm registry; (2) prefer using npx for one-off runs instead of a global npm install, or install in an isolated environment; (3) be prepared for an interactive browser-based login that gives Membrane access to the connected service — review what scopes/permissions are being granted when you authenticate; (4) ignore the Apple ARKit link in the SKILL.md (likely a copy/paste error) but ask the skill author to correct it if you need official Unbox docs; (5) if you plan to let an autonomous agent use this skill, ensure you trust the agent, because it can call arbitrary connector actions and proxy requests through your Membrane connection to Unbox data.

Like a lobster shell, security has layers — review code before you run it.

latestvk970b7ytg6n9mtv0gr1e6yq1a984h9mm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments