Skillv1.0.3

ClawScan security

Arive · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 21, 2026, 3:07 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is internally consistent: it describes using the Membrane CLI to access Arive and its instructions, install step, and authentication flow match that purpose; no unrelated credentials or risky install sources are requested — though you should understand that data and auth are routed through the Membrane service and you must trust that provider and the npm package you install.
Guidance: This skill appears coherent and does what it says: it uses the Membrane CLI to connect to Arive. Before installing: 1) Verify you trust Membrane and the @membranehq/cli npm package (check the package page, maintainer, and repository), since a global npm install runs code on your machine. 2) Understand that authentication and data flow through Membrane's service — if your data or credentials are sensitive, confirm the privacy/security posture and hosting of Membrane. 3) Consider running the CLI in an isolated environment (container or VM) if you have security concerns. If you want, I can list specific checks to validate the npm package and the Membrane service before you proceed.

Purpose & Capability: okName/description (Arive integration) align with the instructions: the SKILL.md tells the agent to use the Membrane CLI to create a connection to Arive and run actions. There are no unrelated environment variables, binaries, or config paths required.
Instruction Scope: noteInstructions stay within scope (install CLI, login via Membrane, connect with connectorKey 'arive', discover and run actions). Important privacy/operational note: the skill relies on Membrane as an intermediary that handles authentication and action execution server-side, so Arive data and auth flows will pass through Membrane's service.
Install Mechanism: noteThis is an instruction-only skill (no install spec), but it tells users to run 'npm install -g @membranehq/cli@latest'. That is a standard public npm package install (traceable) but installing arbitrary global npm packages grants code execution on the host and should be done only from trusted packages/sources.
Credentials: okThe skill declares no required env vars, credentials, or config paths. The SKILL.md explicitly says not to ask users for API keys and to let Membrane manage credentials — consistent with the declared requirements.
Persistence & Privilege: okSkill does not request forced persistence (always: false) and contains no steps that modify other skills or system-wide agent settings. Autonomous invocation is allowed by platform default but is not combined with other concerning privileges.