ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Shipworks

v1.0.0

ShipWorks integration. Manage data, records, and automate workflows. Use when the user wants to interact with ShipWorks data.

0· 49·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill describes ShipWorks operations and consistently instructs the agent to use the Membrane CLI and Membrane connections to access ShipWorks; requiring a CLI and network access is appropriate for this integration.
Instruction Scope
SKILL.md stays on-topic: it instructs installing and using the Membrane CLI, creating/listing connections, running actions, and proxying API requests. It does not ask to read unrelated local files or environment variables, nor to exfiltrate data to unexpected endpoints.
Install Mechanism
The instructions recommend installing a third-party npm CLI (@membranehq/cli) globally. This is proportionate to the task, but installing a public npm package requires trusting that package/provider; the registry entry itself does not perform the install.
Credentials
No environment variables, credentials, or config paths are requested by the skill. The docs explicitly state Membrane manages auth server-side, which aligns with the described workflow.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system config, and is user-invocable. Default autonomous invocation is allowed by platform policy and does not by itself raise concerns here.
Assessment
This skill is coherent, but before installing or using it: (1) Confirm you trust the Membrane service (@membranehq) because the workflow gives Membrane proxy access to ShipWorks data; review their privacy/terms and the package on npm/github. (2) Prefer using npx or a non-global install (or a container) to avoid an untrusted global npm package. (3) Expect an interactive browser-based login flow (or a copy-paste code for headless environments). (4) If you need stricter control, inspect the Membrane CLI code/repo and the connector documentation to verify what data will be proxied and logged.

Like a lobster shell, security has layers — review code before you run it.

latestvk9791egwxvjn26kq37aq82cqm584cf4n

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments