Back to skill
Skillv1.0.1
ClawScan security
Adbutler · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 22, 2026, 9:25 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's instructions, requirements, and behavior align with an AdButler integration that uses the Membrane CLI; nothing requested is disproportionate to that purpose.
- Guidance
- This skill is coherent for connecting to AdButler via the Membrane service. Before installing: verify the @membranehq/cli package (check its npm page, GitHub repo, and publisher), and review Membrane's privacy and credential storage policies so you understand where AdButler credentials will be kept. Because the instructions ask you to install a global npm CLI, consider installing in an isolated environment (VM/container) if you have supply-chain concerns. Finally, do not paste API keys or secrets into chat — follow the Membrane login/connect flow as described so credentials stay managed by Membrane.
Review Dimensions
- Purpose & Capability
- okName/description (AdButler integration) match the runtime instructions: the skill instructs using the Membrane CLI to create a connection to AdButler and run pre-built actions. No unrelated credentials, binaries, or capabilities are requested.
- Instruction Scope
- okSKILL.md stays on-topic: it guides installing the Membrane CLI, logging in, creating a connector, discovering and running actions, and polling build state. It does not instruct the agent to read arbitrary local files or exfiltrate secrets and explicitly advises not to request API keys from users.
- Install Mechanism
- noteThe skill is instruction-only (no install spec in registry) but instructs users to run `npm install -g @membranehq/cli@latest`. Installing a global npm package is a normal step for a CLI but represents a moderate supply-chain risk compared with instruction-only skills that require no install; verify the package and its publisher before installing.
- Credentials
- okNo environment variables, config paths, or credentials are declared or requested. The skill requires a Membrane account (expected) and relies on Membrane to manage AdButler credentials server-side, which is consistent with its advice to avoid collecting API keys locally.
- Persistence & Privilege
- okThe skill is not forced-always, does not claim elevated platform privileges, and does not modify other skills or system-wide agent settings. It simply directs use of a user-installed CLI.