Back to skill
Skillv1.0.3
ClawScan security
Ispring Learn · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 22, 2026, 9:29 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent: it is an instruction-only integration that tells the agent to use the Membrane CLI to access iSpring Learn and does not request unrelated credentials or system access.
- Guidance
- This skill is coherent with its stated purpose, but before installing or following the instructions you should: 1) confirm you trust the Membrane CLI package and its publisher (review the npm package and the GitHub repository at https://github.com/membranedev/application-skills and the homepage), 2) prefer installing CLIs without -g in isolated environments or using a container/virtual environment to avoid modifying your system globally, 3) create a least-privilege Membrane/iSpring account or connection for the integration so the agent cannot access more data than necessary, and 4) avoid pasting or sharing other unrelated credentials — the skill specifically recommends letting Membrane manage auth rather than handing over API keys.
Review Dimensions
- Purpose & Capability
- okThe name/description match the instructions: the skill directs the agent to use the Membrane CLI to manage iSpring Learn entities. The requested operations (connect, action list/create/run) are coherent with an LMS integration.
- Instruction Scope
- okSKILL.md only instructs installing and running the Membrane CLI, authenticating via the Membrane flow, and using CLI commands to list/create/run actions. It does not direct the agent to read unrelated files, environment variables, or exfiltrate data to unexpected endpoints.
- Install Mechanism
- noteThere is no registry install spec, but SKILL.md instructs running `npm install -g @membranehq/cli@latest`. Installing a global npm package is a moderate-risk action (executing third-party code on the system). This is expected for a CLI-based integration, but users should verify the package source and trustworthiness before installing globally.
- Credentials
- okThe skill declares no required env vars or credentials and recommends using Membrane's connection flow rather than collecting API keys locally. No unrelated secrets or config paths are requested.
- Persistence & Privilege
- okThe skill does not request always:true, does not modify other skills, and is user-invocable. It requires network access and a Membrane account as expected, but does not demand persistent elevated privileges.