Back to skill
Skillv1.0.2
ClawScan security
Livestorm · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 2, 2026, 9:00 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's instructions, requirements, and behavior are coherent with a Livestorm integration that uses the Membrane CLI; nothing requested or instructed is out-of-scope for that purpose.
- Guidance
- This skill is coherent: it uses the Membrane CLI to manage Livestorm data and does not ask for unrelated credentials. Before installing, verify the @membranehq/cli npm package (check the package page, publisher, and recent activity), prefer installing in a controlled environment (container, VM, or non-global npm prefix) if you are cautious, and be prepared to complete browser-based authentication which gives Membrane access to Livestorm on your behalf. Do not share raw API keys or secrets outside the official Membrane connection flow. If you need higher assurance, review Membrane's privacy/permissions docs and the @membranehq/cli repository on GitHub.
Review Dimensions
- Purpose & Capability
- okName/description (Livestorm integration) match the runtime instructions: discover and run Livestorm actions via the Membrane CLI and proxy raw API calls when needed. No unrelated credentials, binaries, or paths are requested.
- Instruction Scope
- okSKILL.md confines the agent to installing/using the Membrane CLI, logging in via browser, creating connections, listing and running actions, and proxying Livestorm API requests. It does not instruct reading unrelated files, harvesting environment variables, or sending data to unexpected endpoints.
- Install Mechanism
- noteThere is no install spec in the skill bundle itself (instruction-only). The instructions recommend a global npm install of @membranehq/cli which is a reasonable way to get the CLI but does execute third-party code on install—verify the package source and trustworthiness before running a global npm install.
- Credentials
- okThe skill declares no required environment variables or credentials and explicitly advises using Membrane-managed connections instead of asking for API keys. Requested access is proportional to the stated purpose (network + Membrane account).
- Persistence & Privilege
- okSkill is user-invocable and not always-loaded; it does not request persistent presence or modify other skills or system-wide agent settings. Autonomous invocation is allowed by default but not combined with other red flags.