Back to skill
Skillv1.0.3
ClawScan security
Journeyfront · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 22, 2026, 9:29 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's instructions, dependencies, and scope align with its stated purpose: it is an instruction-only integration that relies on the Membrane CLI to access Journeyfront data and does not request unrelated credentials or system access.
- Guidance
- This skill is coherent: it uses the Membrane CLI to manage Journeyfront actions rather than embedding credentials. Before installing, verify you trust Membrane/@membranehq (check the npm package, publisher, and GitHub repo), avoid running global npm installs with escalated privileges if possible, and be aware the CLI will handle authentication via a browser flow — do not share auth codes. If you need stronger assurance, review the @membranehq/cli source code or run it in a constrained environment before granting it access to production data.
Review Dimensions
- Purpose & Capability
- okName/description match the instructions: the skill explains how to use the Membrane CLI to connect to Journeyfront, discover and run actions, and manage workflows. All requested operations are consistent with a Journeyfront integration.
- Instruction Scope
- okSKILL.md confines runtime instructions to installing/using the Membrane CLI, performing login, creating a connection, and running/listing actions. It does not instruct the agent to read unrelated files, environment variables, or send data to arbitrary endpoints.
- Install Mechanism
- noteThere is no formal install spec; the docs instruct the user to install the @membranehq/cli from npm (global install or npx). This is reasonable for a CLI-based integration, but it does introduce the usual supply-chain risk of installing a third‑party npm package — verify the package and publisher before installing.
- Credentials
- okThe skill declares no required env vars or credentials. Authentication is delegated to Membrane's CLI/server-side flow, which is coherent with the guidance to avoid asking users for API keys.
- Persistence & Privilege
- okThe skill is instruction-only, not always-included, and does not request elevated or persistent platform privileges. It does not modify other skills or system-wide settings beyond advising installation of a CLI tool.