Skillv1.0.2

ClawScan security

Blink · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 2, 2026, 9:09 PM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is an instruction-only integration that tells the agent to use the Membrane CLI to interact with Blink; its requirements and instructions are consistent with that purpose and it does not request unrelated credentials or system access.
Guidance: This skill is instruction-only and coherent: it tells you to install and use the Membrane CLI to connect to Blink and run actions. Before installing or using it, consider the following: (1) installing @membranehq/cli globally requires trust in that npm package—review its npm/GitHub page and maintainers; (2) the skill requires a Membrane account and will route Blink API requests through Membrane, so confirm you trust Membrane's security and privacy practices; (3) authentication uses a browser flow (or headless code exchange) so be prepared to complete that flow; (4) because the skill has no declared env vars or persistent agent-level privileges, it does not attempt to access unrelated local secrets—if you see prompts for API keys or other credentials outside Membrane, treat that as suspicious. If you need higher assurance, inspect the @membranehq/cli source or use a vetted release channel before installing.

Purpose & Capability: okName/description say 'Blink integration' and the instructions exclusively describe using the Membrane CLI to discover connectors, create connections, run actions, and proxy API requests to Blink. No unrelated services, env vars, or binaries are requested.
Instruction Scope: okSKILL.md limits runtime behavior to installing/using the Membrane CLI, authenticating via browser flow, listing/searching connectors, running actions, and optionally proxying API calls through Membrane. It does not instruct reading local files, harvesting unrelated environment variables, or transmitting data to unexpected endpoints.
Install Mechanism: noteThe instructions recommend installing a global npm package (@membranehq/cli). This is expected for a CLI-driven integration but carries the usual supply-chain risk of installing global npm packages; the skill itself is instruction-only and does not perform any install automatically.
Credentials: okThe skill declares no required env vars, no primary credential, and the instructions explicitly advise against collecting API keys locally—relying on Membrane to manage auth. Requested access (a Membrane account and network) is proportionate to the described integration.
Persistence & Privilege: okSkill is not always-enabled and uses default autonomous invocation capability. It does not request to modify system or other skills' configs and has no install-time persistence defined.