Code Climate
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing a global CLI gives that external package code execution on the local machine during installation and use.
The skill instructs installing the latest version of an external global npm CLI. This is central to the skill's purpose, but it means behavior can change with future package releases.
npm install -g @membranehq/cli@latest
Install only if you trust Membrane and npm as the source; consider pinning or reviewing the package version in managed environments.
The integration may retain authorization to access Code Climate data through Membrane until the connection is revoked.
The integration relies on delegated authentication and credential refresh for Membrane/Code Climate access. This is disclosed and purpose-aligned, but it involves sensitive account authorization.
Membrane handles authentication and credentials refresh automatically
Authorize only the intended Code Climate account or organization, review requested scopes during login, and revoke the connection when no longer needed.
A mistaken or over-broad action could remove a repository from Code Climate/Qlty analysis.
The listed Code Climate actions include a destructive repository-management operation. This matches the stated management purpose, but it is a high-impact action if run on the wrong repository.
| Delete Repository | delete-repository | Removes a repository from Code Climate |
Require clear user confirmation before delete or other mutation actions, and verify the organization, repository, and connection ID before execution.