Back to skill
Skillv1.0.3
ClawScan security
Avochato · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 22, 2026, 12:11 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only integration that delegates Avochato access to the Membrane CLI; its requirements and instructions are consistent with the stated purpose.
- Guidance
- This skill is coherent: it delegates Avochato access to the Membrane CLI and does not ask for unrelated secrets. Before installing/running anything, verify the @membranehq/cli package and publisher (npm page, GitHub repo, checksums) and confirm you trust Membrane to handle auth and connector data. Remember that installing a global npm package executes third-party code on your machine; if you prefer, you can interact directly with Avochato's official API instead of installing the CLI. If you have sensitive data, test in a sandbox account first.
Review Dimensions
- Purpose & Capability
- okThe name/description (Avochato integration) match the instructions: use the Membrane CLI to connect to Avochato, discover actions, and run them. Required network access and a Membrane account are coherent with the skill's purpose.
- Instruction Scope
- okSKILL.md only instructs installing and using the Membrane CLI, creating/listing connections and actions, and running those actions. It does not ask the agent to read unrelated files, query unrelated environment variables, or exfiltrate data to unexpected endpoints. It does rely on interactive browser-based auth or a user-provided code in headless flows, which is expected for OAuth-like flows.
- Install Mechanism
- noteThe skill is instruction-only (no install spec), but it tells users/agents to run `npm install -g @membranehq/cli@latest`. Installing a global npm package is a standard mechanism but does execute third-party code on the system; verify the package identity and trustworthiness before installing.
- Credentials
- okThe skill declares no required environment variables or credentials and explicitly instructs not to ask users for Avochato API keys. It relies on Membrane to manage credentials server-side, which is proportionate to the stated design.
- Persistence & Privilege
- okThe skill does not request always-on inclusion or elevated privileges. Installing the Membrane CLI will add a persistent binary to the system if the user chooses to install it, but the skill itself does not demand persistent platform-level privileges or modify other skills.