Back to skill
Skillv1.0.3
ClawScan security
Mautic · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 21, 2026, 1:07 PM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's instructions and requirements are coherent for a Mautic integration that delegates auth and API calls to the Membrane CLI/service; it asks for no unrelated credentials or risky installs beyond recommending the official Membrane npm CLI.
- Guidance
- This skill appears to do what it claims: it uses the Membrane CLI/service to talk to Mautic and asks you to authenticate via Membrane rather than exposing local API keys. Before installing/using it: (1) Verify you trust Membrane (@membranehq) and review their privacy/security docs because Membrane will hold the connection credentials to your Mautic instance; (2) confirm the npm package name (@membranehq/cli) and its official source (npm registry / GitHub) before running npm -g; global npm installs modify your environment—prefer containerized or controlled environments if possible; (3) be prepared to complete an OAuth/browser login or paste a headless login code; do not paste your full account passwords into chat. If you want stronger assurance, ask the skill author for a signed package/source repository link and review Membrane's repo and access permissions before proceeding.
Review Dimensions
- Purpose & Capability
- okName/description (Mautic integration) align with the SKILL.md: it instructs the agent to use the Membrane CLI to connect to Mautic and run pre-built actions such as listing/creating contacts, campaigns, etc. No unrelated capabilities (cloud provider keys, system admin access, etc.) are requested.
- Instruction Scope
- okThe runtime instructions focus on installing/using the Membrane CLI, authenticating via Membrane, creating a connector to Mautic, discovering and running actions. They do not instruct reading arbitrary local files, harvesting unrelated environment variables, or sending data to unexpected endpoints. The auth flow requires the user to complete an OAuth/browser step (or paste a login code) which is described.
- Install Mechanism
- noteThe SKILL.md recommends installing @membranehq/cli via npm -g. That's a publicly-published npm package (expected for this workflow) but it does modify the host environment when installed globally. The skill registry itself has no install spec; installation is left to the operator.
- Credentials
- noteThe skill declares no required env vars or local config paths. It does require a Membrane account and network access; Membrane handles Mautic credentials server-side. Users should be aware Membrane will store/manage access to their Mautic instance (no local API key is requested).
- Persistence & Privilege
- okThe skill is instruction-only, does not request always:true, and does not indicate it will modify other skills or system-wide agent settings. Autonomous invocation is the platform default and not a separate concern here.