Back to skill
Skillv1.0.3
ClawScan security
Honeybadger · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 22, 2026, 3:03 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only integration that uses the Membrane CLI to access Honeybadger; its requirements and instructions are coherent with that purpose and it does not request unrelated credentials or privileged persistence.
- Guidance
- This skill itself is an instructions document that tells you to install and use the Membrane CLI to interact with Honeybadger. Before installing or running it: (1) verify you trust the @membranehq npm package and publisher (installing a global npm CLI runs code on your machine); (2) expect to authenticate via Membrane's web flow—you will delegate Honeybadger credentials to Membrane rather than supplying API keys locally; (3) if you need stronger isolation, consider installing the CLI into a virtualenv/container or inspect the package source on npm/GitHub first; (4) review Membrane's privacy/security docs to confirm you are comfortable with a third-party service managing auth and acting on your Honeybadger data.
Review Dimensions
- Purpose & Capability
- okThe name/description (Honeybadger integration) matches the instructions: guidance to install and use the Membrane CLI to create a Honeybadger connection and run actions. The actions listed (projects, faults, check-ins, teams) align with Honeybadger capabilities.
- Instruction Scope
- okSKILL.md is scoped to running the Membrane CLI (login, connect, list/run actions). It does not instruct reading arbitrary local files, accessing unrelated environment variables, or sending data to unexpected endpoints. Authentication is handled via Membrane and requires interactive login or headless code flow (user-mediated).
- Install Mechanism
- noteThere is no formal install spec in the package registry (instruction-only), but the runtime docs instruct users to run npm install -g @membranehq/cli@latest. Installing a public npm CLI is a reasonable, common step but is a moderate-risk operation relative to instruction-only skills because it writes code to disk and requires trust in the npm package and its publisher.
- Credentials
- okThe skill declares no required env vars, no primary credential, and SKILL.md explicitly advises letting Membrane manage credentials instead of asking for API keys. No unrelated secrets or config paths are requested.
- Persistence & Privilege
- okThe skill is not marked always:true and is user-invocable. It does not request to modify other skills or system-wide config in the instructions. No elevated persistence or hidden background behavior is described.