Back to skill
Skillv1.0.3
ClawScan security
Everhour · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 21, 2026, 3:07 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is an instruction-only Everhour integration that consistently delegates auth and API calls to the Membrane CLI/service and does not request unrelated credentials or system access.
- Guidance
- This skill is instruction-only and asks you to use the Membrane CLI to connect your Everhour account. Before installing or using it: 1) confirm you trust Membrane (getmembrane.com / their GitHub) because your Everhour access will be mediated by their service; 2) be prepared to run npm install -g @membranehq/cli (global installs may require admin rights); 3) authenticate via the Membrane login flow rather than giving raw API keys to the agent; and 4) if you require stricter control, review Membrane's privacy/security docs and the specific connector permissions in your Membrane account before creating the connection.
Review Dimensions
- Purpose & Capability
- okThe name/description (Everhour integration) match the instructions: it tells the agent to use the Membrane CLI to list, create, and update Everhour resources. Nothing in the document asks for unrelated credentials or capabilities.
- Instruction Scope
- okSKILL.md's runtime instructions are narrowly scoped to installing and using the Membrane CLI (login, connect, list actions, run actions). It does not instruct reading arbitrary files, unrelated env vars, or exfiltrating data to unexpected endpoints. It explicitly recommends letting Membrane manage credentials.
- Install Mechanism
- noteNo formal install spec in the registry (skill is instruction-only), but SKILL.md asks the user to install @membranehq/cli globally via npm. That is a standard package source; installing globally may require privileges on some systems, but this is expected for a CLI-based integration.
- Credentials
- okThe skill declares no required env vars or credentials. The instructions rely on interactive Membrane login and connections rather than asking for API keys, so requested environment/credentials are proportional to the stated purpose.
- Persistence & Privilege
- okThe skill does not request always:true or elevated persistence. It is user-invocable and can be invoked autonomously per platform defaults, which is expected for integrations of this type.