Back to skill
Skillv1.0.3
ClawScan security
Freshservice · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 21, 2026, 1:06 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and instructions are consistent with a Freshservice integration that uses the Membrane CLI as an intermediary; nothing requested is disproportionate to that stated purpose.
- Guidance
- This skill delegates auth and API calls to the third‑party Membrane service and recommends installing @membranehq/cli from npm. Before installing or using it: (1) confirm you trust the Membrane project and review its privacy/security docs because it will broker access to your Freshservice data; (2) install the CLI from the official npm package name and consider pinning a version instead of using @latest; (3) be aware login opens a browser to complete auth — do not paste codes into untrusted prompts; (4) if you must restrict risk, prefer creating a least-privilege Freshservice test account to connect through Membrane first.
Review Dimensions
- Purpose & Capability
- okName/description, the CLI commands, and the workflow (connect a Freshservice connector, list/create/run actions) align with a Freshservice integration; no unrelated credentials, binaries, or paths are requested.
- Instruction Scope
- okSKILL.md confines actions to installing/using the Membrane CLI, logging in, creating a connection to Freshservice, discovering and running actions. It does not instruct the agent to read arbitrary files, access unrelated environment variables, or transmit data to unexpected endpoints beyond Membrane/Freshservice.
- Install Mechanism
- noteThe skill is instruction-only and recommends installing @membranehq/cli via npm (-g). Using npm is expected for a CLI, but npm packages are third-party code — verify the package name and source before installing and prefer pinned versions in sensitive environments.
- Credentials
- okNo environment variables, credentials, or config paths are requested by the skill. Authentication is delegated to the Membrane service (browser-based login flow), which is consistent with the stated design.
- Persistence & Privilege
- okThe skill does not request always-on presence or system-wide configuration changes. It is user-invocable and relies on the Membrane CLI; autonomous invocation is allowed by default but is not elevated by special privileges in this package.