Back to skill
Skillv1.0.5
ClawScan security
Copper · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 28, 2026, 9:15 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions are consistent with a Copper CRM integration implemented via the Membrane CLI; nothing requested appears disproportionate to that purpose.
- Guidance
- This skill appears coherent for accessing Copper through Membrane. Before installing/use, consider: (1) you will need to install the Membrane CLI from npm (a global npm install runs third‑party code—verify the package and version); (2) authenticating will grant Membrane access to your Copper data, so review the permissions and revoke access if not needed; (3) verify Membrane's privacy/security posture (getmembrane.com and the published npm package) if you will run this on a machine with sensitive data; and (4) prefer least-privilege accounts or test tenants if you are unsure. If you want extra assurance, ask the publisher for the exact npm package version and a link to the package's npm/GitHub release page before installing.
Review Dimensions
- Purpose & Capability
- okName/description (Copper integration) align with the instructions: everything the skill asks you to do (install Membrane CLI, login, create a connection, run actions or proxy requests) is what you'd expect for a connector that proxies to Copper via Membrane.
- Instruction Scope
- okSKILL.md confines runtime actions to installing/using the Membrane CLI, authenticating the user, discovering/ running actions, and proxying requests to Copper. It does not instruct reading unrelated system files, harvesting other credentials, or sending data to unexpected endpoints.
- Install Mechanism
- noteThis is an instruction-only skill (no install spec), but it instructs the user to install @membranehq/cli via npm -g. Installing a global npm package is a normal step for a CLI but carries the usual moderate risk of executing third‑party package code (postinstall scripts). The registry metadata does not itself perform any install.
- Credentials
- okThe skill declares no required environment variables, credentials, or config paths. Authentication is delegated to the Membrane CLI workflow (OAuth/browser flow), which is proportionate for accessing Copper data.
- Persistence & Privilege
- okSkill is not always-enabled and does not request elevated platform privileges. It does not attempt to modify other skills or persist broad agent-wide configuration beyond normal Membrane connection state.