Skillv1.0.3

ClawScan security

Geoapify · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 22, 2026, 12:55 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill is internally consistent: it uses the Membrane CLI to access Geoapify and its instructions match the stated purpose, but it omits a few operational details you should be aware of before installing.
Guidance: This skill delegates Geoapify access to the Membrane platform and requires you to install the @membranehq/cli (npm global) and to authenticate a Membrane account. Before installing: 1) Verify you trust Membrane (homepage and package owner), 2) be aware the CLI will open a login flow or provide an auth URL — do not paste secrets into chat, 3) installing an npm global package has normal supply-chain risk; review the package or run it in an isolated environment if you are cautious, and 4) confirm you are comfortable granting Membrane access to your Geoapify connection (Membrane will manage API keys). The registry metadata omits the required CLI step (no required binaries declared) — that's a minor manifest mismatch but not evidence of malicious intent.

Review Dimensions

Purpose & Capability: okThe name/description (Geoapify integration) align with the instructions: the skill delegates Geoapify access to Membrane and shows how to create a connection and run Geoapify-related actions. Asking the user to use Membrane to connect to a geoapify connector is coherent with the stated purpose.
Instruction Scope: noteSKILL.md instructs the agent/user to install and run the Membrane CLI and to perform an interactive login and connection creation. These actions are within scope for a connector-style skill, but the doc grants broad runtime discretion (searching/creating actions, polling, and running arbitrary Membrane actions) — which is expected but means the agent will act on the user's behalf via Membrane once authorized.
Install Mechanism: noteThere is no formal install spec in the registry, but SKILL.md tells users to run an npm global install (npm install -g @membranehq/cli@latest). Installing from npm is a normal approach, but it is an external install step not recorded in the skill manifest and carries the usual supply-chain considerations for npm packages.
Credentials: okThe skill declares no required env vars or credentials and relies on Membrane to handle authentication. That is proportional: Geoapify keys are managed by Membrane and the skill explicitly advises not to ask users for API keys. The SKILL.md does not ask for unrelated credentials or local config paths.
Persistence & Privilege: okThe skill is not always-enabled and does not request elevated system persistence. It instructs use of Membrane services and CLI but does not modify other skills or system-wide settings in the provided instructions.