Back to skill
Skillv1.0.1
ClawScan security
Apify · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 22, 2026, 2:07 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's instructions, dependencies, and required access are coherent with an Apify integration implemented via the Membrane CLI; nothing requested is disproportionate or unrelated to the stated purpose.
- Guidance
- This skill appears coherent and uses the Membrane CLI as intended to access Apify. Before installing: verify the @membranehq/cli package and its GitHub repo (check npmjs.org and the repository for maintainers, recent releases, and issues), because global npm installs run code at install time. Ensure you are comfortable completing the interactive login flow (it may open a browser or require pasting a code). Do not share Apify API keys; follow the skill's guidance to create a Membrane connection so credentials are managed server-side. If you need stricter control, run the CLI in an isolated environment or container rather than installing it globally on a sensitive host.
Review Dimensions
- Purpose & Capability
- okThe skill is an Apify integration and all runtime instructions use the Membrane CLI to connect to Apify, discover actions, and run them. Requiring the Membrane CLI is consistent with the described approach; no unrelated credentials, binaries, or files are requested.
- Instruction Scope
- okSKILL.md limits runtime activity to installing/using the Membrane CLI, logging in, creating a connector to Apify, listing/searching actions, and running them. It explicitly advises against asking users for API keys. The instructions do not direct the agent to read arbitrary local files, system configs, or unrelated environment variables.
- Install Mechanism
- noteInstallation is an npm global install (npm install -g @membranehq/cli@latest). Using the public npm registry for a CLI is expected for this workflow, but global npm packages can run arbitrary install-time scripts; users should verify the package and its source (npmjs listing, GitHub repo, maintainers) before global installation.
- Credentials
- okThe skill declares no required environment variables or credentials and instructs using Membrane-managed connections rather than collecting API keys. Requested access is proportional to the stated purpose.
- Persistence & Privilege
- okThe skill is instruction-only, has no install spec that writes files, and does not request always:true. Autonomous invocation is enabled by default (platform default) but does not combine with other concerning privileges here.