Skillv1.0.1

ClawScan security

Cirrus Labs · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 22, 2026, 11:17 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's purpose (Cirrus Labs integration) is plausible, but the runtime instructions require installing and using the Membrane CLI (npm global install, Node/npm) even though the skill metadata declares no install or required binaries — this mismatch and the implicit trust in the external Membrane CLI warrant caution.
Guidance: This skill delegates all runtime work to the Membrane CLI and platform. Before installing or using it: (1) note that SKILL.md expects you to install a global npm package (@membranehq/cli) even though the skill metadata lists no install or required binaries — verify you are comfortable installing and running that CLI. (2) Confirm the CLI/package provenance: check the npm package and the GitHub repository (https://github.com/membranedev/application-skills and the @membranehq/cli project) and review its code or audit its maintainer if possible. (3) Understand that authentication happens through Membrane (browser flow) and Membrane will manage your Cirrus connection tokens — you must trust their handling of credentials. (4) Prefer installing the CLI in an isolated environment (container or VM) if you want to limit blast radius from a compromised package. (5) Ask the skill author to update metadata to declare required binaries (node/npm) and to include an install spec, or provide a signed package/source link to improve transparency. If you cannot verify the Membrane CLI or its maintainers, treat the skill as untrusted.

Review Dimensions

Purpose & Capability: noteThe skill claims to integrate with Cirrus Labs and, in practice, delegates work to the Membrane platform/CLI to manage connections and actions. Delegation to a third-party integration service is coherent with the stated purpose, but the skill does not declare the actual dependency on the Membrane CLI (or on Node/npm) in its metadata, creating an expectation mismatch.
Instruction Scope: okSKILL.md stays on-topic: it instructs how to install and use the Membrane CLI to authenticate, connect to Cirrus, discover and run actions. It does not instruct reading unrelated system files or exfiltrating secrets. The instructions ask the user to authenticate interactively (browser/authorization code) rather than sending raw API keys, which is appropriate for delegated platform use.
Install Mechanism: concernThere is no install spec in the registry metadata, yet the instructions explicitly tell the user to run 'npm install -g @membranehq/cli@latest' (and use npx). That implies a global Node/npm install and network fetch from the npm registry. The absence of an install entry for this dependency in the skill metadata is an inconsistency and increases risk because the skill implicitly requires downloading and running third-party code.
Credentials: okThe skill declares no required environment variables and does not ask for API keys; authentication is performed via the Membrane CLI web-based flow. The requested privileges (interactive login to Membrane) are proportionate to the stated purpose. However, using the Membrane platform centralizes credentials with that service, so you must trust Membrane's handling of your connections and tokens.
Persistence & Privilege: okThe skill is not always-enabled and does not request persistent system-level privileges in the metadata. It is instruction-only and would not autonomously install or persist itself from the registry side. The main persistence risk comes from installing the Membrane CLI (a separate binary) which may store credentials locally via its own mechanism.