ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Vendasta

v1.0.0

Vendasta integration. Manage data, records, and automate workflows. Use when the user wants to interact with Vendasta data.

0· 54·0 current·0 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description claim a Vendasta integration which is plausible, and the SKILL.md references Vendasta docs and Membrane. However, the skill does not declare what credentials or API keys it needs to access Vendasta (no required env vars), and a large portion of the SKILL.md is noisy/unrelated content, reducing confidence that required capabilities are fully described.
!
Instruction Scope
The SKILL.md is an instruction-only file that asks for network access and a Membrane account but provides few concrete runtime steps and contains lots of generic/irrelevant text. It does not clearly state what data will be read, which endpoints will be called, or how authentication is performed. This vagueness gives the agent broad discretion and obscures potential data exfiltration paths.
Install Mechanism
No install spec and no code files are present (instruction-only). This minimizes disk write/execute risk — nothing is downloaded or installed by the skill itself.
Credentials
The skill declares no required env vars or credentials but does state 'Requires network access and a valid Membrane account.' It's unclear whether Vendasta credentials are needed or are expected to be proxied through Membrane. The absence of explicit credential requirements is not necessarily wrong but is under-specified and should be clarified before use.
Persistence & Privilege
always is false and the skill is user-invocable. It does not request persistent system privileges or claim to modify other skills or system settings.
What to consider before installing
This skill is instruction-only (no code installed) and broadly matches its stated purpose, but the runtime instructions are vague and contain a lot of unrelated text. Before installing or enabling it: 1) Ask the publisher how authentication is handled — will you need Vendasta API keys or does Membrane proxy requests on your behalf? 2) Request a clear list of network endpoints the skill will call (e.g., api.vendasta.com vs. getmembrane.com) and what data fields are transmitted. 3) If you will use it with real customer data, test in a low-risk environment first and limit the agent's network access where possible. 4) Prefer enabling only when user-invoked (not autonomous) until you confirm the data flow and credential handling. If the vendor cannot clearly explain these points, consider this skill untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f426fz0japjgc28xyft1t0n84bfpr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments