Back to skill
Skillv1.0.3
ClawScan security
Leadsquared · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 22, 2026, 1:43 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's instructions and requirements are coherent with a LeadSquared integration that uses the Membrane CLI; it asks users to install and authenticate the Membrane client but does not request unrelated credentials or perform unexpected actions.
- Guidance
- This skill delegates LeadSquared access to the Membrane CLI. Before installing: verify @membranehq/cli and getmembrane.com are trusted, prefer using npx for one-off runs if you don't want a global install, and review the permissions requested during the Membrane/LeadSquared connection. Do not share unrelated API keys or credentials; expect a browser-based auth flow that issues a short code to complete login. If you need stronger assurance, inspect the Membrane CLI package (npm page or GitHub repo) and the connector implementation before granting access to sensitive LeadSquared data.
Review Dimensions
- Purpose & Capability
- okThe name/description (LeadSquared integration) align with the instructions: all runtime steps call the Membrane CLI to connect to LeadSquared and run actions. No unrelated services, binaries, or environment variables are requested.
- Instruction Scope
- noteSKILL.md instructs installing @membranehq/cli, logging in via browser/URL, creating a connection, discovering/creating actions, and running them. These steps stay within the integration's scope, but the skill depends on an external Membrane account and interactive auth flows.
- Install Mechanism
- noteThe skill is instruction-only but recommends installing an npm package globally and using npx. Downloading the Membrane CLI from npm is expected for this workflow; this is moderate-risk compared to no install, so users should ensure the CLI package and vendor (membrane) are trusted.
- Credentials
- okNo environment variables, secrets, or config paths are declared or requested by the SKILL.md. Authentication is handled via Membrane's login flow (browser or URL code), which is proportional to the described purpose.
- Persistence & Privilege
- okThe skill is not always-enabled and does not request persistent elevated privileges. The instructions will create local CLI auth state when the user logs in, which is expected for a CLI-based connector and does not modify other skills.