Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Venn Nino
v1.0.0Safely connects Gmail, Calendar, Drive, Atlassian (Jira/Confluence), Notion, GitHub, Salesforce, and dozens of other enterprise tools via a single MCP endpoi...
⭐ 0· 77·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (Venn MCP gateway for enterprise tools) align with the runtime requirements: the skill requires a VENN_UNIVERSAL_URL and a vennporter client binary, which are appropriate for a gateway/client integration.
Instruction Scope
SKILL.md confines actions to installing/using vennporter, registering the provided MCP URL, and performing OAuth/device‑code auth. It asks the agent to save the URL to openclaw.json and run local commands. It does not instruct reading unrelated system files or exfiltrating arbitrary data. Minor incoherences: metadata/version strings differ across files and the install path referenced in some places (~/.openclaw/workspace/skills/venn/...) depends on extraction location but the included script lives at scripts/install-vennporter.sh — this is a small packaging/path inconsistency to be aware of.
Install Mechanism
Although the install uses a GitHub repo (better than a random IP or pastebin), the script clones a third‑party repo (https://github.com/mansilladev/mcporter) from a feature branch (feat/device-code-grant), runs npm/pnpm install and build, and writes an executable to ~/.local/bin/vennporter which will be executed. Fetching and building arbitrary code locally is a moderate‑to‑high risk action unless you can verify the repository and maintainer; the use of a feature branch increases uncertainty about provenance and review.
Credentials
The skill only requires a single environment value VENN_UNIVERSAL_URL (a URL, not an API key). However, the OAuth/device-code flow will produce tokens that the installed client will store locally (expected for this use case). No unrelated credentials or paths are requested.
Persistence & Privilege
The skill does not request always:true and does not modify other skills. It will install a user‑owned binary and configuration under the user's home (~/.local), and the installed client will persist config/auth tokens locally — expected but worth noting because the installed binary can be invoked autonomously by the agent in later runs.
What to consider before installing
Before installing: verify the GitHub repository and the maintainer (mansilladev) and inspect the code on the named branch; prefer an official release tag over an arbitrary feature branch. Understand the install will run npm/pnpm and build code, creating ~/.local/share/vennporter and ~/.local/bin/vennporter — only proceed if you trust that code. Confirm the VENN_UNIVERSAL_URL you provide points to your trusted Venn MCP endpoint (the skill will use it to access many enterprise services via OAuth). If unsure, run the install in an isolated environment or container, or ask the publisher for a signed release or official package URL. Finally, be aware OAuth/device code will produce tokens stored locally by the client — review where tokens are persisted and rotate/revoke them if you later uninstall or distrust the tool.Like a lobster shell, security has layers — review code before you run it.
latestvk971x5t70e1n7e1h8jegf6vkb983ezdf
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🦉 Clawdis
Binsvennporter
EnvVENN_UNIVERSAL_URL
Primary envVENN_UNIVERSAL_URL