Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Uplead
v1.0.0UpLead integration. Manage data, records, and automate workflows. Use when the user wants to interact with UpLead data.
⭐ 0· 36·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name and description state an UpLead integration and the SKILL.md exclusively documents using the Membrane CLI to discover and run UpLead actions or proxy UpLead API calls. Required binaries and env vars are minimal and appropriate for an instruction-only connector guide.
Instruction Scope
Instructions ask the user/agent to install @membranehq/cli, run interactive login flows, create connections, list actions, run actions, and use Membrane's proxy to call UpLead endpoints. This stays within the stated purpose, but it explicitly routes requests and credentials through Membrane's servers — users should understand that authentication and request proxying happen off-host.
Install Mechanism
No install spec is embedded in the skill bundle (instruction-only). The doc recommends npm install -g @membranehq/cli or using npx. Installing an npm package is expected here but carries the usual supply-chain considerations (postinstall scripts, global binaries). Using npx or reviewing the package source mitigates some risk.
Credentials
The skill declares no required env vars and does not request unrelated credentials. However, it delegates UpLead authentication to Membrane (server-side). That is proportionate to the purpose but is a privacy/third-party-trust consideration: your UpLead credentials and proxied requests will be handled by Membrane rather than stored locally.
Persistence & Privilege
always is false and there is no install that forces persistent presence. The skill is user-invocable and can be invoked autonomously (platform default). Autonomous invocation combined with networked proxying is expected for this integration but users should be aware an agent could make proxied requests if given permission.
Assessment
This skill appears to do what it claims, but before installing or using it consider: 1) You will need network access and a Membrane account — Membrane handles UpLead auth and proxies requests, so you are delegating credentials and traffic to that third party. 2) The doc recommends installing @membranehq/cli from npm; prefer npx or review the package/source before running a global install to reduce supply-chain risk. 3) Understand and review the connection and permission flow in Membrane (what the connector can access) before authorizing. 4) If you are uncomfortable delegating credentials, don’t create the connection and instead use UpLead’s official API with local keys under your control. 5) If you plan to allow autonomous agents to use this skill, restrict agent privileges or monitor actions so it cannot make unexpected proxied API calls without your approval.Like a lobster shell, security has layers — review code before you run it.
latestvk974kjmh9n0ky5wg2h7k8z4wgn84hk2a
License
MIT-0
Free to use, modify, and redistribute. No attribution required.