ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Socket

v1.0.0

Socket integration. Manage data, records, and automate workflows. Use when the user wants to interact with Socket data.

0· 51·0 current·0 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description say this integrates with Socket and the SKILL.md exclusively instructs use of the Membrane CLI and Membrane-hosted connections to talk to Socket. Requested capabilities (network access, Membrane account, CLI) match the stated purpose.
Instruction Scope
Instructions are narrowly scoped to installing/using @membranehq/cli, authenticating via Membrane, discovering connectors/actions, running actions, and proxying requests. One important operational detail: requests to Socket are sent via Membrane's proxy, so request payloads and responses will transit Membrane's infrastructure — this is expected for the stated workflow but is something the user should understand and accept.
Install Mechanism
There is no automated install spec in the package metadata; the SKILL.md recommends installing the Membrane CLI via npm (npm install -g @membranehq/cli). Using the public npm registry for a CLI is typical, but global npm installs modify the system environment and you should verify the package (publisher, package name/version) before installing. No downloads from untrusted URLs are instructed.
Credentials
The skill does not request any environment variables, secrets, or config paths. Authentication is delegated to Membrane (interactive login flow). The lack of requested local credentials is proportional to the stated design.
Persistence & Privilege
The skill does not request always-on inclusion, does not modify other skills or system-wide settings in the instructions, and allows normal user-invocation / autonomous invocation per platform defaults. No elevated persistence is requested.
Assessment
This skill is coherent, but you should only install/use it if you trust Membrane (getmembrane.com/@membranehq/cli) because the CLI and proxy will send your requests and data through Membrane's servers. Before installing: verify the npm package publisher and version, limit install scope if possible (use a container or npx instead of global install), inspect any actions/requests you run so you don't unintentionally forward sensitive data, and review Membrane's privacy/security documentation and terms.

Like a lobster shell, security has layers — review code before you run it.

latestvk974zfxztpkzwv693m0aq7axhn84aj38

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments