Back to skill
Skillv1.0.3
ClawScan security
Bitly · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 21, 2026, 8:03 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent: it is an instruction-only Bitly integration that tells the agent to use the Membrane CLI to create a Bitly connection and run actions; it requests no unrelated credentials or hidden installs, but you should verify the Membrane CLI package before installing it globally.
- Guidance
- This skill is coherent and instruction-only: it tells you to install and use the Membrane CLI to connect to Bitly. Before installing the CLI, verify the @membranehq/cli npm package and its GitHub repository (check maintainers, recent releases, and readme). Understand that Membrane will handle Bitly auth server-side—if you have data-policy or privacy concerns, review Membrane's docs and where it stores tokens. Prefer testing with a limited-scope or test Bitly account first, and avoid installing global npm packages on production machines without review.
Review Dimensions
- Purpose & Capability
- okName/description say 'Bitly integration' and the instructions exclusively describe using the Membrane CLI to connect to Bitly, list/create/run Bitly-related actions, and manage connections. No unrelated services, credentials, or binaries are requested.
- Instruction Scope
- okSKILL.md instructs installing @membranehq/cli, running membrane login/connect/action commands, and using Membrane to avoid direct API key handling. It does not instruct reading arbitrary files, other env vars, or contacting endpoints outside the Membrane/Bitly flow.
- Install Mechanism
- noteThe skill is instruction-only (no install spec), but it instructs the user to run 'npm install -g @membranehq/cli@latest'. This is a normal way to obtain the CLI but is a global npm install (moderate risk): verify the package's authenticity, review its npm and GitHub pages, and prefer installing only from trusted sources.
- Credentials
- okNo environment variables, credentials, or config paths are requested by the skill. The SKILL.md explicitly says Membrane will handle credentials server-side and that you should not supply Bitly API keys directly — this is appropriate and proportional to the stated purpose.
- Persistence & Privilege
- okThe skill does not request 'always: true' and has no install-time code or files. Autonomous invocation is enabled (default) but that is normal for skills and not by itself a problem here.