Back to skill
Skillv1.0.3
ClawScan security
Everee · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 21, 2026, 2:05 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally coherent: it is an instruction-only wrapper that uses the Membrane CLI to talk to Everee and does not request unrelated credentials or filesystem access.
- Guidance
- This skill is coherent for interacting with Everee via Membrane. Before installing/using it: (1) verify you trust the @membranehq/cli npm package (check npm/ GitHub repo and publisher), (2) be aware the CLI will store login tokens locally after you run 'membrane login', and any agent that runs these commands can access payroll data—limit autonomous execution or require confirmation before running actions that read or modify payroll/worker records, (3) when asked to authenticate in a browser, confirm the URL is Membrane/Everee official and do not paste sensitive credentials into untrusted prompts.
Review Dimensions
- Purpose & Capability
- okName/description (Everee integration) matches the instructions: all actions are about connecting to Everee via the Membrane CLI and running/listing Everee-related actions. No unrelated services, binaries, or env vars are requested.
- Instruction Scope
- okSKILL.md only instructs use of the Membrane CLI (login, connect, action list/run/create) and browser-based authentication. It does not instruct reading arbitrary files, accessing unrelated environment variables, or sending data to endpoints outside Membrane/Everee.
- Install Mechanism
- noteThere is no formal install spec, but SKILL.md tells users to install @membranehq/cli via npm (npm install -g @membranehq/cli@latest). Installing a global npm CLI is a common pattern but carries the usual moderate risks of installing packages from a registry (verify package name/source and review permissions).
- Credentials
- okThe skill requests no environment variables or credentials itself; it relies on Membrane's interactive login flow to obtain and refresh tokens. That is proportionate to a connector-based integration with Everee.
- Persistence & Privilege
- noteSkill flags are default (not always). The Membrane CLI will persist auth tokens locally after login (normal for CLIs). The skill can be invoked autonomously by agents (platform default); combined with access to payroll data this increases potential impact if an agent is allowed to run actions without approval.