ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Worksnaps

v1.0.0

Worksnaps integration. Manage data, records, and automate workflows. Use when the user wants to interact with Worksnaps data.

0· 46·0 current·0 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description say 'Worksnaps integration' and the runtime instructions only require using the Membrane CLI and a Membrane account to create a connector and run actions or proxied API requests — this is a coherent, expected design for an integration skill.
Instruction Scope
SKILL.md stays on-topic: it instructs installing/using the Membrane CLI, creating a connection, listing/running actions, and optionally proxying Worksnaps API calls through Membrane. It does not ask the agent to read unrelated files, environment variables, or system state, and explicitly advises not to ask the user for raw API keys.
Install Mechanism
There is no formal install spec in the skill bundle, but SKILL.md tells users to run 'npm install -g @membranehq/cli' (and also shows 'npx' usage). Installing a global npm package is a moderate-risk action because it fetches third-party code to run locally; this is proportional to the task but the user should verify the package and prefer npx or pinned versions if they want to avoid a global install.
Credentials
The skill requests no environment variables or local secrets. It relies on a Membrane account and browser-based auth to obtain/handle Worksnaps credentials server-side, which is proportional for an integration that delegates auth to a third-party service.
Persistence & Privilege
The skill does not request 'always: true' and does not require writing to other skills' configs. Autonomous invocation is allowed (platform default) and appropriate for an integration skill. The only persistent change a user may perform is installing the Membrane CLI locally if they choose to.
Assessment
This skill is coherent, but before installing or using it you should: (1) Verify you trust Membrane as the intermediary — Membrane will hold and use your Worksnaps credentials and proxy API requests. Review Membrane's privacy/security docs and the CLI package on npm/GitHub. (2) Prefer using 'npx @membranehq/cli@latest' or a pinned version instead of a global 'npm install -g' if you want to avoid installing third-party binaries system-wide. (3) Be aware the login flow opens a browser and grants connector access to Worksnaps — only grant permissions you intend. (4) If you need stronger assurance, inspect the @membranehq/cli package source and releases on its official GitHub before installing and run it in an isolated environment (container/VM) if possible.

Like a lobster shell, security has layers — review code before you run it.

latestvk974pzvy7gerzm1qd18d7yb0xs84f20k

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments