Back to skill
Skillv1.0.3
ClawScan security
Didomi · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 22, 2026, 1:18 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally coherent: it instructs the agent to use the Membrane CLI to interact with Didomi and does not request unrelated credentials or install arbitrary code itself.
- Guidance
- This skill appears to be what it says: a Membrane-based Didomi integration. Before using it, verify the Membrane CLI package (publisher and npm registry) and prefer npx if you want to avoid a global install. Understand that Membrane will broker authentication and may store/process your Didomi credentials and data — review Membrane's privacy/security docs and your organization's policy before sending sensitive data. Avoid running login flows or installing packages from untrusted machines; if you need to operate in a headless/CI environment, confirm the expected headless auth flow and who will have access to the resulting tokens. If you require higher assurance, confirm the skill publisher (repository/owner) and that the Didomi connector in your Membrane tenant is provided by an expected vendor.
Review Dimensions
- Purpose & Capability
- okThe name/description (Didomi integration) matches the instructions: all runtime steps use the Membrane CLI and Membrane's Didomi connector. Required capabilities (network access and a Membrane account) are appropriate for this integration.
- Instruction Scope
- noteSKILL.md stays within scope: it only describes installing/using the Membrane CLI, authenticating via browser/URL, creating a connection, discovering and running actions. It does not instruct reading unrelated files or harvesting local secrets. Note: the skill expects interactive authentication flows and headless URL-based completion; follow those carefully in shared or automated environments.
- Install Mechanism
- noteThe skill is instruction-only (no install spec), but instructs the user to install @membranehq/cli via npm (or use npx). This is proportional to the stated purpose. Consider using npx to avoid a global install and verify the package identity (publisher, registry) before installing globally.
- Credentials
- noteNo environment variables or local secrets are requested by the skill. However, using the Membrane service means authentication and Didomi credentials will be handled server-side by Membrane — this is expected but has privacy implications (your Didomi data and tokens will be processed/stored by Membrane).
- Persistence & Privilege
- okThe skill does not request persistent inclusion (always:false) and does not modify other skills or system-wide settings. Agent invocation/autonomy is allowed but that's the platform default and not a unique risk here.