ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Workiz

v1.0.0

Workiz integration. Manage data, records, and automate workflows. Use when the user wants to interact with Workiz data.

0· 27·0 current·0 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (Workiz integration) align with the instructions: the SKILL.md instructs using the Membrane CLI to discover connectors, create a Workiz connection, run actions, and proxy API requests. Nothing requested (no env vars, no config paths) is unrelated to that purpose.
Instruction Scope
Instructions are scoped to installing and using the Membrane CLI to authenticate, manage connections, list/run actions, and proxy API calls to Workiz. This includes running commands that open a browser-based login flow and using Membrane's proxy to send arbitrary Workiz API requests — expected for this integration, but it does mean request payloads and Workiz data transit Membrane's servers. The instructions do not ask the agent to read local files or unrelated environment variables.
Install Mechanism
The skill is instruction-only (no install spec in registry) but tells users to run `npm install -g @membranehq/cli`. Installing a global npm package is a normal way to obtain the referenced CLI but carries the usual supply-chain considerations (verify package source, version, and integrity). The commands reference official docs and the Membrane GitHub; no obscure download URLs are present.
Credentials
The skill requests no environment variables or local secrets. It explicitly instructs to avoid asking users for API keys and instead create connections via Membrane (server-side auth). The level of credential access is proportional to a Workiz integration.
Persistence & Privilege
The skill does not request permanent presence (always:false) and will not autonomously install or modify other skills. It instructs interactive CLI usage and connection creation, which is normal for this class of skill.
Assessment
This skill appears coherent and does what it says: it guides you to install and use the Membrane CLI to connect to Workiz and run actions. Before installing or using it, consider: (1) The Membrane service will mediate access to Workiz data — review Membrane's privacy/security policies and confirm you trust that vendor. (2) Installing a global npm package runs third‑party code; verify the package name, version, and source (use the official @membranehq package and consider installing in an isolated environment if concerned). (3) The agent's commands will open a browser login flow and may proxy arbitrary Workiz API calls through Membrane — avoid sending sensitive data you don't want routed through a third party. If you accept those tradeoffs, the skill's instructions and requirements are proportionate to its purpose.

Like a lobster shell, security has layers — review code before you run it.

latestvk979b28x0e5x6079ack0axw389847en4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments