Back to skill
Skillv1.0.3
ClawScan security
Api Sports · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 21, 2026, 6:03 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent: it documents using the Membrane CLI to access API Sports data, requests no unrelated credentials, and contains only usage instructions (no hidden installs or surprising actions).
- Guidance
- This skill is coherent and appears safe to inspect, but it relies on the third-party @membranehq/cli npm package and your Membrane account. Before installing the CLI globally, verify the npm package and publisher (review the package page and repository), consider installing in a contained environment (container or VM) if you prefer isolation, and avoid pasting any unrelated secrets into commands. If you need tighter control, you can use Membrane's web console to create connections instead of installing the CLI locally.
Review Dimensions
- Purpose & Capability
- okThe name/description (API Sports integration) matches the instructions (use Membrane to connect to API Sports, list/create actions, and run them). Required capabilities (network access and a Membrane account/CLI) are reasonable and proportional to the stated purpose.
- Instruction Scope
- okSKILL.md only instructs installing the Membrane CLI, running membrane login/connect/action commands, and creating/running actions. It does not instruct reading unrelated files, exfiltrating secrets, or accessing system paths beyond normal CLI usage. It also explicitly advises not to ask users for API keys.
- Install Mechanism
- noteThere is no automatic install spec in the skill bundle, but the documentation advises installing @membranehq/cli via 'npm install -g'. Installing a global npm package is a normal approach but does run third-party code on the host — review the package and its publisher before installing, or install in a contained environment.
- Credentials
- okThe skill declares no required environment variables, credentials, or config paths. It requires a Membrane account and connection to manage API credentials server-side, which is consistent with the instructions and does not request unrelated secrets.
- Persistence & Privilege
- okThe skill is user-invocable, not always-included, and does not request elevated or persistent system privileges. No installation artifacts are written by the skill itself (instruction-only).