ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Workast

v1.0.0

Workast integration. Manage data, records, and automate workflows. Use when the user wants to interact with Workast data.

0· 47·0 current·0 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (Workast integration) match the instructions: the SKILL.md explains using the Membrane CLI to connect to Workast, discover actions, run actions, and proxy API calls. Requested items (network access, Membrane account, installing @membranehq/cli) are appropriate for this purpose.
Instruction Scope
Runtime instructions are limited to installing and using the Membrane CLI, creating connections, listing actions, running actions, and proxying requests. One notable point: membrane request proxies arbitrary Workast API paths through Membrane — that is expected for this integration but means requests/data will be routed via Membrane's service.
Install Mechanism
There is no formal install spec in the registry metadata (instruction-only), but SKILL.md instructs users to run npm install -g @membranehq/cli. Installing a global npm package is a common pattern but carries the usual risks (executing third-party code on the host). The source (@membranehq/cli on npm / repository at github.com/membranedev) should be reviewed if you require higher assurance.
Credentials
The skill declares no required env vars, no config paths, and no credentials. That aligns with the guidance to use Membrane for auth rather than asking for API keys locally.
Persistence & Privilege
always is false and the skill is user-invocable. There is no indication it attempts to modify other skills or persist agent-wide settings. Autonomous invocation is allowed (platform default) but not excessive here.
Assessment
This skill appears coherent: it relies on the Membrane CLI to access Workast and does not request unrelated secrets. Before installing, consider: (1) Installing the CLI requires running a global npm package — review @membranehq/cli on npm/GitHub to ensure you trust the publisher. (2) Membrane acts as a proxy for API requests and will see any request/response data you send to Workast — review Membrane's privacy/security policies and ensure you are comfortable routing your Workast data through their service. (3) Use least-privilege accounts or scopes where possible and verify the CLI package version/signature if you need stronger guarantees.

Like a lobster shell, security has layers — review code before you run it.

latestvk9766btb6yrj661g46wd12tjn9845pgm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments