ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Veriff

v1.0.0

Veriff integration. Manage data, records, and automate workflows. Use when the user wants to interact with Veriff data.

0· 53·0 current·0 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Crypto
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (Veriff integration) matches the runtime instructions: using the Membrane CLI to list/connect/run actions or proxy API requests to Veriff. There are no unrelated credential or filesystem requirements in the instructions.
Instruction Scope
SKILL.md only directs the agent/operator to install and use the Membrane CLI, perform login flows, discover actions, run actions, or proxy requests to Veriff via Membrane. It does not instruct reading unrelated files, exfiltrating data, or accessing unrelated environment variables.
Install Mechanism
The registry has no formal install spec, but SKILL.md instructs installing @membranehq/cli globally via npm (public registry). Installing a global npm package writes to disk and executes code from the npm registry (moderate risk) — expected for this integration but worth confirming the package's authenticity before installing.
Credentials
The skill declares no required environment variables and the instructions explicitly advise against asking users for API keys (use Membrane's connection flow). Credential handling is delegated to Membrane, which is proportionate to the stated purpose.
Persistence & Privilege
The skill is not always-enabled and requests no system-wide configuration or access to other skills' credentials. It relies on an external CLI and browser-based authentication; it does not request persistent agent privileges.
Assessment
This skill appears coherent: it uses Membrane's CLI to manage Veriff connections and does not ask for unrelated secrets. Before installing, consider: (1) installing @membranehq/cli globally will modify your system/npm global packages — only proceed if you trust the package and maintainers; (2) Membrane will broker auth and thus will have access to your Veriff data via the connection it creates — review Membrane's privacy/security posture and terms; (3) in locked or headless environments, follow the documented headless login flow and ensure this fits your security policy; (4) never paste your Veriff API keys into the chat — the skill explicitly instructs using Membrane connections instead. If you want extra caution, verify the @membranehq/cli package source (checksum or known-good version) before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97912hhf27nazssrwjgt4edzh84dc0w

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments