Back to skill
Skillv1.0.3
ClawScan security
Laposta · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 22, 2026, 12:41 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent: it delegates Laposta access to the Membrane CLI, requires a Membrane account and network access, and does not request unrelated credentials or perform unexplained actions.
- Guidance
- This skill appears coherent and uses the Membrane CLI to manage Laposta access. Before installing: verify that @membranehq/cli is the official package (check npm registry page and the repository), be aware that `npm install -g` requires elevated permissions, and understand that logging in and creating a connection grants Membrane (and thus the connector) access to your Laposta account — review Membrane's privacy/security policies and the connector's requested scopes. If you prefer not to install a global CLI, consider running the CLI in a controlled environment or container. Finally, confirm the connectorKey (laposta) is what you expect and that returned connection IDs and outputs are handled according to your data-handling requirements.
Review Dimensions
- Purpose & Capability
- okThe name/description (Laposta integration) matches the instructions: all actions are performed through the Membrane CLI and the skill describes creating a connection for the Laposta connector. There are no unrelated credentials, binaries, or requirements requested that would be inconsistent with a Laposta integration.
- Instruction Scope
- okSKILL.md only instructs the agent to install and use the Membrane CLI (login, connect, list/search/run actions). It does not ask the agent to read local files, export unrelated env vars, or send data to external endpoints other than Membrane. Headless login flow (open a URL, paste code) is documented and expected for CLI-based OAuth flows.
- Install Mechanism
- noteNo install spec in the skill bundle; the README recommends installing @membranehq/cli via npm global install. Installing a package from the public npm registry is a normal approach for a CLI but has the usual considerations (global npm install requires elevated permissions and you should verify package authenticity and provenance).
- Credentials
- okThe skill declares no required environment variables or credentials. It explicitly delegates credential storage and refresh to Membrane and instructs the user to create a connection rather than supplying API keys locally — this is proportionate for a third‑party connector integration.
- Persistence & Privilege
- okThe skill does not request permanent presence (always:false) and does not modify other skills or system-wide settings. Autonomous invocation is allowed (platform default) but not accompanied by broad privileges or secret access.