ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Uploadcare

v1.0.1

Uploadcare integration. Manage data, records, and automate workflows. Use when the user wants to interact with Uploadcare data.

0· 44·0 current·0 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The README-style instructions describe interacting with Uploadcare via Membrane (search/connect/run actions/proxy requests). Required items (network and a Membrane account) align with the stated Uploadcare integration purpose; no unrelated credentials or paths are requested.
Instruction Scope
Runtime instructions stay on-topic: they tell the agent to install and use the Membrane CLI, create connections, run actions, and proxy Uploadcare API calls. There are no instructions to read arbitrary host files, collect extra secrets, or exfiltrate data to unexpected endpoints.
Install Mechanism
There is no install spec in the manifest (instruction-only). The SKILL.md recommends installing @membranehq/cli globally via npm, which is a common but moderately privileged install step (global npm install). This is expected for the workflow but worth noting because it writes a third-party binary to the host.
Credentials
The skill declares no required environment variables or credentials. Authentication is handled interactively via Membrane (browser login / connector flow), which matches the skill's purpose and avoids asking the user for Uploadcare API keys locally.
Persistence & Privilege
always is false and the skill does not request installation persistence or modification of other skills or system-wide settings. Default autonomous invocation is allowed but is not combined with other concerning privileges.
Assessment
This skill is instruction-only and appears coherent, but you should consider the following before installing: 1) The workflow relies on the third-party Membrane CLI (@membranehq/cli). Verify the package (npm listing, maintainer, and GitHub repo) and review its trust/privacy policy before global install. 2) The Membrane service will broker auth and proxied API calls — if you plan to handle sensitive files or metadata, confirm you trust Membrane and understand where data will be transmitted and stored. 3) Global npm installs require elevated filesystem access on some systems; prefer a scoped install or containerized environment if you are cautious. 4) Because this is instruction-only, the static scanner had no code to analyze; if you need stronger assurance, ask the skill author for the exact Membrane CLI version and its source repository or test the flow in an isolated environment first.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f3gqc5r0g8kwkkcqxf9x26s84gn57

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments