Back to skill
Skillv1.0.3
ClawScan security
Eyepopai · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 22, 2026, 1:27 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's instructions and requirements are consistent with an EyePop.ai integration that uses the Membrane CLI; nothing requested appears disproportionate or unrelated to the stated purpose.
- Guidance
- This skill is coherent, but before installing: 1) Confirm you trust Membrane/getmembrane.com and the @membranehq/cli npm package (review the GitHub repo and privacy/terms). 2) Note the SKILL.md expects Node/npm (or npx) even though the registry metadata doesn't list them—installing a global npm package will run third-party code on your machine. Prefer using npx for one-off runs if you want to avoid a global install. 3) Be aware that authentication and action execution are handled by Membrane's service, so EyePop.ai data and API access will transit their platform; verify that sharing that data with Membrane is acceptable for your use case. 4) If you need higher assurance, inspect the @membranehq/cli package source or run it in an isolated environment before using it with production accounts.
Review Dimensions
- Purpose & Capability
- noteThe skill describes an EyePop.ai integration and delegates work to the Membrane CLI, which is coherent. Minor mismatch: the registry metadata lists no required binaries, but the SKILL.md expects npm/npx (Node) to install/run the Membrane CLI.
- Instruction Scope
- noteInstructions stay on-topic (install Membrane CLI, login, create a connection, discover and run actions). They rely on Membrane to handle auth and action execution. Users should understand that actions and credentials are handled server-side by Membrane and that data/actions will flow through Membrane's service.
- Install Mechanism
- noteThere is no automated install spec (instruction-only). The SKILL.md recommends installing @membranehq/cli from npm (public registry) or running via npx; this is a common approach but does execute third-party code locally. This is a moderate but expected risk for CLI-based integrations.
- Credentials
- okThe skill declares no required env vars or credentials and instructs users to use Membrane connections rather than supplying API keys locally. That is proportionate. Users should still be aware that authentication flows will grant Membrane access to their EyePop.ai account.
- Persistence & Privilege
- okThe skill does not request always:true and does not ask to modify system/other-skill configs. It is user-invocable and can be called autonomously by the agent (platform default).