Back to skill
Skillv1.0.3
ClawScan security
Chimp Rewriter · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 22, 2026, 1:51 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is instruction-only and its requirements (a Membrane account and the Membrane CLI) match the stated Chimp Rewriter integration purpose; no unexplained credentials or risky install URLs are present, though installing a global npm CLI has normal supply-chain considerations and the README mixes global install vs npx usage.
- Guidance
- This skill appears coherent: it uses the Membrane CLI to connect to Chimp Rewriter and does not ask for unrelated secrets. Before installing or running it: - Verify the @membranehq/cli package on npm and the linked GitHub repo (check maintainer, recent releases, and package contents). - Prefer npx or pin a specific version instead of npm install -g @latest to reduce supply-chain risk, or run the CLI in an isolated environment/container. - Understand that Membrane will handle auth server-side but the CLI will store tokens locally—review where those are stored and the Membrane privacy/terms. - Confirm what access the created connection grants to your Chimp Rewriter account (scope of actions) before authorizing. If you want, I can fetch the npm package metadata and GitHub repo (if you provide network access) and summarize what I find.
Review Dimensions
- Purpose & Capability
- okName/description say it integrates with Chimp Rewriter and the SKILL.md consistently instructs the agent to use the Membrane CLI to create a connection and run actions against Chimp Rewriter. Required capabilities (network + Membrane account) align with that purpose.
- Instruction Scope
- okAll runtime instructions are limited to installing/using the Membrane CLI, authenticating via the provided browser flow or authorization code, creating a connection, discovering actions, and running them. The instructions do not ask the agent to read unrelated files, request unrelated credentials, or exfiltrate data to other endpoints. One minor inconsistency: the doc suggests a global npm install but elsewhere uses npx for some commands; functionally you can use either.
- Install Mechanism
- noteNo arbitrary downloads or extracts; install is via npm (npm install -g @membranehq/cli@latest) or commands using npx. Using npm is expected for a CLI but carries normal supply-chain risk inherent to public registry packages. The lack of a pinned version and the suggestion to install @latest increases exposure; consider using npx or pinning a specific version or auditing the package before global install.
- Credentials
- okThe skill requests no environment variables or local config paths. Authentication is delegated to Membrane (browser/code flow). This is proportionate to the stated integration. Note: the Membrane CLI will likely persist authentication tokens/config locally (typical for CLI tools), so users should be aware where those tokens are stored and who controls the Membrane service.
- Persistence & Privilege
- okSkill is instruction-only, has no install-time components, and is not marked always:true. It does not request system-wide privileges or attempt to modify other skills or agent configs. Autonomous invocation defaults were not changed by this skill.