Back to skill
Skillv1.0.3
ClawScan security
Cisco Meraki · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 22, 2026, 12:15 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's claims, instructions, and requirements are internally consistent: it uses the Membrane CLI to access Cisco Meraki and does not request unrelated credentials or OS-level privileges.
- Guidance
- This skill appears coherent: it delegates auth and API calls to Membrane rather than asking for raw Meraki keys. Before installing/running the CLI, verify the @membranehq/cli package and the getmembrane.com project are trusted (check the npm package page and GitHub repository), consider installing the CLI in an isolated environment or container, and be aware that granting Membrane account access enables Membrane's servers to interact with your Meraki data. If you need stricter control, ask whether a self-hosted connector or pinned CLI version is available.
Review Dimensions
- Purpose & Capability
- okThe skill declares a Cisco Meraki integration and all runtime instructions use the Membrane CLI and a Membrane connection named cisco-meraki. Requiring a Membrane account and network access matches the stated purpose — nothing unrelated (e.g., AWS keys, system tokens) is requested.
- Instruction Scope
- okSKILL.md is focused: it instructs installing the Membrane CLI, logging in, creating connections, discovering and running actions. It does not instruct the agent to read arbitrary files, environment variables, or to send data to unexpected endpoints beyond Membrane/Meraki.
- Install Mechanism
- noteThere is no formal install spec in the registry, but the instructions tell the user to run 'npm install -g @membranehq/cli@latest'. Installing a global npm package is a typical step but carries the usual risk of installing code from the npm registry; pinning a specific vetted version or verifying the package source would be safer.
- Credentials
- okThe skill declares no required env vars or primary credential. Authentication is handled interactively via the Membrane CLI/browser flow, which is proportionate to the integration and avoids asking for raw API keys in the skill itself.
- Persistence & Privilege
- okThe skill is instruction-only, does not set always:true, and does not request modifications to other skills or system-wide settings. It does require a Membrane account and CLI login but that is standard for this integration.