Back to skill
Skillv1.0.3
ClawScan security
Deployhq · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 22, 2026, 1:03 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions align with a DeployHQ integration: it relies on the Membrane CLI and Membrane-based connections rather than asking for unrelated credentials or system access.
- Guidance
- This skill appears coherent for integrating DeployHQ via the Membrane platform. Before installing: verify the @membranehq/cli npm package is the official CLI (check the package publisher and repository), consider installing the CLI in an isolated environment (container or VM) rather than globally if you want to limit impact, and be aware the login flow will produce tokens/connections that grant access to your DeployHQ data — only create connections with the minimum required privileges. Because the skill can be invoked autonomously by the agent (normal default), avoid granting it broader access than needed and review any actions it suggests running before execution.
Review Dimensions
- Purpose & Capability
- okName and description (DeployHQ integration) match the runtime instructions which use the Membrane CLI and a DeployHQ connector. The requested operations (list/create/update projects, servers, deployments, etc.) are coherent with the stated purpose.
- Instruction Scope
- okSKILL.md instructs the agent to install and use the Membrane CLI, create a connection to DeployHQ, list and run actions, and authenticate via browser or headless code flow. It does not instruct reading unrelated files, requiring unrelated env vars, or transmitting data to unexpected endpoints.
- Install Mechanism
- noteThere is no formal install spec, but the instructions tell the user to run 'npm install -g @membranehq/cli@latest'. Installing a global npm CLI is a reasonable and expected step for this integration, but global npm installs execute third-party code from the npm registry — verify the package and prefer isolated environments if concerned.
- Credentials
- okThe skill declares no required env vars or credentials. Authentication is delegated to Membrane's login flow and connection creation, which is appropriate for an integration. The skill explicitly advises not to ask users for API keys.
- Persistence & Privilege
- okalways is false and the skill is user-invocable with normal autonomous invocation allowed. There is no indication the skill requests permanent presence, modifies other skills, or accesses unrelated credentials.