ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Nessus

v1.0.0

Nessus integration. Manage data, records, and automate workflows. Use when the user wants to interact with Nessus data.

0· 52·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The skill declares Nessus integration and all runtime instructions use Membrane to connect to Nessus (creating connections, running actions, and proxying API calls). Nothing requested (no env vars, no unrelated binaries) is inconsistent with that purpose.
Instruction Scope
SKILL.md instructs installing and using the Membrane CLI and describes commands to list/create connections, run actions, and proxy requests to the Nessus API. The instructions do not ask the agent to read unrelated files or capture unrelated secrets, but they do direct the user/agent to run a third-party CLI and to authenticate via Membrane (browser-based login).
Install Mechanism
No install spec is embedded in the skill bundle (instruction-only), but the doc tells users to run `npm install -g @membranehq/cli`. Installing a global npm package will execute third-party code on the host — it's a standard distribution channel but has inherent trust risk. The instruction does not point to arbitrary downloads or nonstandard URLs.
Credentials
The skill requests no environment variables or local credential files; it requires a Membrane account (declared in the doc) which is consistent with using a connector platform that manages credentials server-side. There are no unexplained secret requests.
Persistence & Privilege
The skill is instruction-only, does not request always:true, and does not claim to modify other skills or global agent settings. Normal autonomous invocation is allowed (platform default) but not excessive in this skill.
Assessment
This skill appears coherent: it uses Membrane as a connector to talk to Nessus rather than handling Nessus credentials directly. Before installing or using it: 1) Decide whether you trust the Membrane service and the @membranehq/cli npm package (review the npm package page, maintainer, and GitHub repo). 2) Install the CLI in a controlled environment (or sandbox) if you want to limit risk from third-party code. 3) Verify the created connector's permissions and which Nessus endpoints the connector will access; avoid pasting raw API keys into chat. 4) If you have enterprise security policies, confirm Membrane meets them (data residency, credential handling, and audit logging). If any of these checks fail or you cannot verify the Membrane package, treat this skill with caution.

Like a lobster shell, security has layers — review code before you run it.

latestvk97248sy03wmxdypmdr1v3gvyh84d8gf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments