Back to skill
Skillv1.0.2
ClawScan security
Acuity Scheduling · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 2, 2026, 8:47 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's actions and instructions are coherent with an Acuity Scheduling integration that uses the Membrane CLI; nothing requested or instructed appears disproportionate to that purpose.
- Guidance
- This skill appears to be a straightforward Acuity Scheduling connector that relies on the Membrane CLI. Before installing or running commands: (1) verify you trust the @membranehq/cli package and consider installing it in an isolated environment or container (global npm installs have supply-chain risk); (2) confirm the Membrane project/repository and package version are legitimate; (3) be aware that authorizing a connection grants Membrane access to your Acuity data — use least-privilege account credentials and review OAuth scopes; (4) avoid running proxy commands that send or expose unrelated sensitive data; and (5) if you need higher assurance, ask the publisher for a signed release link or audit the CLI source before installing.
Review Dimensions
- Purpose & Capability
- okName/description match the runtime instructions: the SKILL.md directs use of the Membrane CLI to connect to Acuity Scheduling, list/run actions, and proxy API requests — all consistent with an integration skill.
- Instruction Scope
- noteInstructions are explicit about installing and using the Membrane CLI, logging in, creating connections, listing/running actions, and optionally proxying raw API requests. The only notable scope item is that the proxy feature can run arbitrary requests against the Acuity API (via Membrane) — expected for flexibility but gives broad API access once a connection is authorized.
- Install Mechanism
- noteNo platform install spec in the registry (skill is instruction-only), but SKILL.md recommends installing a global npm package (@membranehq/cli). That's a common approach but carries standard supply-chain risk associated with installing a public npm package globally.
- Credentials
- okThe skill declares no required env vars or credentials; authentication is handled interactively by the Membrane CLI (browser-based login and connection flow). The absence of unrelated credentials is appropriate.
- Persistence & Privilege
- okThe skill is not forced-always and uses default autonomous-invocation behavior. It does not request persistent system-wide configuration changes in the SKILL.md; this is proportionate to a connector skill.