Back to skill
Skillv1.0.3
ClawScan security
Dock Certs · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 21, 2026, 6:03 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only Dock Certs integration that consistently directs the agent to use the Membrane CLI for authentication and actions — its requirements and instructions align with its stated purpose and it does not request disproportionate credentials or install arbitrary remote artifacts.
- Guidance
- This skill is coherent for interacting with Dock Certs via the Membrane platform. If you plan to use it, be aware that it asks you to install a global npm CLI (@membranehq/cli) which will run code on install and add a binary to your PATH — install it only on machines where you trust the source. Also confirm your organization is comfortable delegating auth to Membrane (it handles tokens server-side). If you want to avoid installing a global CLI, ask if an alternative (local binary, containerized CLI, or API-based integration) is available.
Review Dimensions
- Purpose & Capability
- okThe name/description (Dock Certs integration) matches the instructions: all guidance is about installing and using the Membrane CLI to connect to the Dock Certs connector and run actions. There are no unrelated credentials, binaries, or functionality requested.
- Instruction Scope
- okSKILL.md confines runtime behavior to installing the Membrane CLI, logging in, creating a connection, discovering actions, and running them. It does not instruct reading arbitrary files, harvesting environment variables, or sending data to unexpected endpoints. It explicitly advises not to ask users for API keys.
- Install Mechanism
- noteThe install instructions use npm install -g @membranehq/cli@latest. This is a typical way to get a CLI but global npm installs run code (postinstall hooks) and modify system PATH — normal for a CLI integration but higher-risk than an instruction-only skill that requires no installation.
- Credentials
- okNo environment variables, primary credential, or config paths are required by the skill. Authentication is delegated to Membrane via its CLI; this is proportionate for a SaaS connector integration.
- Persistence & Privilege
- okThe skill is not always-on, does not request persistent system-level privileges, and does not modify other skills' configs. It relies on the Membrane service for auth lifecycle rather than storing local secrets.