ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Mx Toolbox

v1.0.2

Mx Toolbox integration. Manage Organizations. Use when the user wants to interact with Mx Toolbox data.

0· 110·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name, description, and runtime instructions consistently describe a Membrane-based integration with Mx Toolbox. The skill does not request unrelated binaries, env vars, or config paths.
Instruction Scope
Instructions are limited to installing and using the Membrane CLI, creating connections, listing actions, running actions, and proxying API calls. This stays within the integration scope, but proxying means requests and any request payloads will be sent through Membrane's service—so user data and API requests will be visible to that third party.
Install Mechanism
There is no built-in install spec. The instructions recommend installing @membranehq/cli from the npm registry (a standard source). The skill itself doesn't download or extract arbitrary archives.
Credentials
The skill declares no required environment variables or credentials and relies on the Membrane CLI to perform authentication. That is proportionate, though it does shift credential custody to the Membrane service/CLI.
Persistence & Privilege
The skill is not always-included and has no special persistence requirements. Autonomous invocation is allowed by default (platform normal) and is not combined with any broad credential requests.
Assessment
This skill appears coherent: it delegates auth and API calls to the Membrane CLI/service rather than requesting local secrets. Before installing/use, consider: (1) you will need a Membrane account and to install their CLI (npm package @membranehq/cli) which writes to your system; (2) API calls and payloads routed via Membrane will be visible to that third party—review Membrane's privacy/security docs and permission scopes; (3) avoid running it in environments with highly sensitive secrets unless you trust Membrane and the CLI; and (4) if you want tighter control, prefer performing direct API calls yourself or audit the specific actions you invoke via Membrane. If you want more assurance, provide the skill's publisher/source verification or a signed release for the CLI package.

Like a lobster shell, security has layers — review code before you run it.

latestvk97d4vc8fkdyjqmmvmxngbsp59842w8z

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments