ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Logstash

v1.0.2

Logstash integration. Manage data, records, and automate workflows. Use when the user wants to interact with Logstash data.

0· 75·0 current·0 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to integrate with Logstash and its SKILL.md consistently uses a third-party gateway (Membrane) to provide connectors and auth — this is a plausible design. However, the registry metadata lists no required binary even though the instructions explicitly require the 'membrane' CLI and a Membrane account; also the package source and owner are not fully proven in the manifest (homepage is getmembrane.com and repository referenced, but overall 'Source: unknown' in registry metadata is notable).
Instruction Scope
The SKILL.md stays within its stated purpose: it instructs the user/agent to install and use the Membrane CLI to list connections, run actions, and proxy requests to Logstash. It does not direct the agent to read unrelated local files, environment variables, or transmit data to arbitrary external endpoints beyond Membrane.
!
Install Mechanism
There is no formal install spec in the registry, but the runtime instructions tell the operator to run 'npm install -g @membranehq/cli'. Global npm installs are a moderate supply-chain risk and can affect the host environment. The package name appears to match the service described, but the skill should have declared the required binary in metadata and ideally include provenance or a vetted install spec.
Credentials
The skill requests no environment variables or credentials and explicitly tells users to let Membrane handle credentials and not to paste API keys. This is proportionate to a connector-based Logstash integration.
Persistence & Privilege
The skill is not always-on and does not request special platform privileges. Default autonomous invocation is allowed (normal for skills). If you enable autonomous use, the agent could call Membrane and interact with your Logstash connections — consider whether you trust the skill and Membrane before allowing autonomous invocation.
What to consider before installing
This skill appears to be a Membrane-based Logstash connector and is mostly coherent, but take these precautions before installing: (1) Verify you trust the @membranehq package on npm (check publisher, package page, and recent releases) before running a global install. (2) Note the registry metadata does not declare the 'membrane' binary even though SKILL.md requires it — treat that as a packaging/metadata omission. (3) Because the skill uses a third-party gateway for auth and proxying, confirm you are comfortable granting the agent/network access to your Logstash data via Membrane. (4) If you are concerned about automatic actions, do not enable autonomous invocation for this skill or restrict its permissions until you've validated it in a controlled environment.

Like a lobster shell, security has layers — review code before you run it.

latestvk975rgkavz6ycm8wevmeh1xx1984253h

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments