Back to skill
Skillv1.0.3
ClawScan security
Degreed · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 22, 2026, 1:50 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent: it describes a Degreed integration and its instructions consistently direct the agent to use the Membrane CLI to connect to Degreed, with no unexpected credential requests or unrelated system access.
- Guidance
- This skill delegates Degreed access to the Membrane service via the @membranehq/cli. Before installing or running it: 1) Verify the npm package and the Membrane project (npmjs.org package page and the GitHub repo) to ensure you trust the vendor. 2) Prefer using npx for one-off runs if you don't want a global install. 3) Understand that authentication uses a browser-based flow and that the resulting connection and tokens are managed by Membrane (i.e., some user data and tokens will be handled by their service). 4) If your organization has policies about third-party connectors or storing credentials on external services, get approvals first. If you want more assurance, ask the skill author for the exact package/version and a link to the Membrane CLI source and npm page so you can inspect them before installing.
Review Dimensions
- Purpose & Capability
- okThe name/description (Degreed integration) match the instructions: all runtime steps use the Membrane CLI to create a Degreed connection, discover actions, and run them. Nothing in the SKILL.md requests unrelated services or credentials.
- Instruction Scope
- noteInstructions are limited to installing/using the Membrane CLI, logging in, creating a Degreed connection, discovering and running actions. They do not ask the agent to read arbitrary files or environment variables. Note: the workflow relies on the Membrane service and browser-based auth; using that service implies sending auth flows/data to Membrane servers (this is expected for a proxy/connector).
- Install Mechanism
- noteThe SKILL.md recommends installing @membranehq/cli via npm -g or using npx. Installing global npm packages executes code from the npm registry (moderate risk compared to instruction-only). This is expected for a CLI-based integration, but users should confirm the package and source before installing.
- Credentials
- okThe skill declares no required environment variables or credentials. The instructions explicitly say to let Membrane manage credentials and not to ask users for API keys, which is proportionate to the stated purpose.
- Persistence & Privilege
- okThe skill does not request always:true or any elevated platform persistence. It is user-invocable and can be autonomously invoked (platform default), which is normal for skills of this type.