Back to skill
Skillv1.0.2
ClawScan security
Formidable Forms · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 2, 2026, 8:55 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's actions, requirements, and instructions match its stated purpose (using the Membrane CLI to access Formidable Forms), though it requires installing a third‑party CLI and routes data through Membrane's service — so review that trust boundary before use.
- Guidance
- This skill is coherent and does what it says: it instructs you to install the Membrane CLI and use it to connect to and manage Formidable Forms data. Before installing and using it, consider: 1) Verify the @membranehq/cli package and publisher (check the npm page and linked GitHub repo) before running npm install -g; installing global packages runs third‑party code on your machine. 2) Understand the trust boundary: authentication uses Membrane (browser OAuth) so Membrane will store/manage tokens and will see requests/responses proxied through their service — do not use it with highly sensitive production data unless you trust Membrane. 3) Use a least-privilege/test account or a dedicated connection for initial testing. 4) When using 'membrane request' or 'membrane action run', be deliberate about endpoints and inputs to avoid inadvertently exposing data. If you need the skill to run without installing a global CLI, ask the skill author for an explicit non-global or sandboxed install option.
Review Dimensions
- Purpose & Capability
- okThe skill is an instruction-only integration that uses the Membrane CLI to manage Formidable Forms resources. No unrelated credentials, binaries, or config paths are requested — this aligns with the described purpose.
- Instruction Scope
- noteInstructions are focused on installing and using the Membrane CLI to list/connect/run actions and proxy requests to the Formidable Forms API. This is within scope, but the 'membrane request' and 'membrane action run' commands allow proxying arbitrary Formidable endpoints and running arbitrary connector actions, which grants broad access to form data (expected for this integration but a useful user privacy/security consideration).
- Install Mechanism
- noteThere is no automated install spec in the registry, but the SKILL.md instructs users to install @membranehq/cli via npm (npm install -g). Installing a global npm package is a standard approach but has moderate risk because it executes third‑party code on the host; the package is from the public npm registry (@membranehq) — verify the package and publisher before installing.
- Credentials
- noteThe skill requests no local environment variables or secrets (proportionate). However, authentication is handled by Membrane (browser OAuth flow) which means credentials/tokens are managed server‑side by Membrane — users should be aware that form data and credentials will be accessible to the Membrane service.
- Persistence & Privilege
- okThe skill is user-invocable with no 'always' flag and does not request persistent system-wide privileges. It does require the user to install a CLI, but the skill itself does not request elevated or persistent platform privileges.