Skillv1.0.2

ClawScan security

Hootsuite · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 2, 2026, 8:51 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's instructions, dependencies, and behavior are coherent with a Hootsuite integration that uses the Membrane CLI; it doesn't ask for unrelated credentials, but installing and trusting the Membrane CLI (npm) and Membrane's cloud proxy are the main things to consider.
Guidance: This skill appears internally consistent and uses the Membrane CLI to talk to Hootsuite. Before installing: (1) verify the @membranehq/cli package on npm (publisher, download counts, repo) because `npm install -g` adds a global binary you must trust; (2) be aware that API calls and credentials are handled by Membrane's cloud proxy — data will flow through Membrane, so review their privacy/security posture if you have sensitive content; (3) if you want to avoid global installs, consider using a local install or container; (4) because the skill is instruction-only and requests no extra credentials, it does not appear to perform unexpected actions, but always verify the CLI behavior on a test account first.

Purpose & Capability: okName/description (Hootsuite integration) matches the runtime instructions: all actions are performed via the Membrane CLI which proxies to Hootsuite. There are no unrelated environment variables, binaries, or config paths requested.
Instruction Scope: okSKILL.md only instructs the agent/user to install and use the Membrane CLI to create connections, list/run actions, and proxy requests to Hootsuite. It does not ask the agent to read local files, collect unrelated system data, or transmit data to endpoints other than Membrane/Hootsuite.
Install Mechanism: noteNo install spec in the registry (instruction-only), but the docs instruct users to run `npm install -g @membranehq/cli`. This is an expected approach but requires trusting an npm package and will write a global binary to disk; verify package provenance before installing.
Credentials: okThe skill declares no required env vars or credentials and explicitly directs users not to supply API keys locally. Authentication is delegated to Membrane's cloud flows, which is proportionate to the described functionality.
Persistence & Privilege: okSkill is instruction-only, has no install-time hooks or always:true flag, and does not request persistent system privileges. The default ability for the agent to invoke the skill autonomously is present (platform default) but not combined with other concerning privileges.