ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Cloudcraft

v1.0.0

Cloudcraft integration. Manage data, records, and automate workflows. Use when the user wants to interact with Cloudcraft data.

0· 10·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (Cloudcraft integration) matches the instructions: all actions are routed through the Membrane CLI and its proxy to interact with Cloudcraft. Nothing in the SKILL.md requests unrelated services or credentials.
Instruction Scope
The runtime instructions are narrowly scoped to installing and using the Membrane CLI, creating a connection, listing and running actions, and proxying API requests. They do not instruct reading unrelated files or exfiltrating local secrets. It does require network access and an interactive browser-based login (or headless code flow).
Install Mechanism
No install spec in the registry; the SKILL.md recommends installing @membranehq/cli via npm (global). Using an npm package is expected for a CLI but carries the usual supply-chain considerations (npm registry package execution). This is proportionate to the task but the user should verify the package and origin before installing globally (npx is suggested in places, which is a safer alternative).
Credentials
The skill declares no environment variables or special credentials; instead it relies on the Membrane account/connection flow. That is appropriate for a proxy-based integration. Note: granting Membrane a connection gives Membrane access to Cloudcraft account data (server-side), which is a trust decision the user must accept during connect/login.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide settings. Autonomous invocation is enabled by default (normal). There is no evidence the skill requests elevated or persistent system privileges.
Assessment
This skill is internally consistent: it simply documents using the Membrane CLI to access Cloudcraft. Before installing or using it, verify the legitimacy of Membrane (@membranehq) and the npm package (inspect its repository, publisher, and recent releases). Understand that creating a Membrane connection will allow Membrane to access and proxy requests for your Cloudcraft data (server-side storage/refresh of tokens may occur) — only proceed if you trust that service. Prefer running via npx or inspecting the CLI code rather than a global npm install if you want lower system impact. Finally, review what permissions you grant during the browser login/connection flow and limit autonomous agent invocation if you do not want the agent to call the skill without explicit confirmation.

Like a lobster shell, security has layers — review code before you run it.

latestvk97akkafyyt33sk1x2s840hp8h849z0y

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments