Skillv1.0.3

ClawScan security

Microsoft Onenote · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 21, 2026, 5:06 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's files and runtime instructions are coherent with a OneNote integration that uses the Membrane CLI; nothing requested or instructed is disproportionate to that purpose.
Guidance: This skill appears to be what it says: a OneNote integration driven by the Membrane CLI. Before installing or running commands: 1) Verify the @membranehq/cli package and maintainers (npm page and GitHub) to ensure you trust the binary you will install globally. 2) Prefer installing CLI tools in a user-local or sandboxed environment rather than as a global system package if you have concerns. 3) Confirm the connector uses Microsoft Graph and appropriate least-privilege scopes for your needs. 4) Be aware that the CLI will perform network requests and will open a browser or present an auth URL — this is expected but means you should not run it in contexts where exposing interactive tokens/URLs is risky. If you want extra assurance, inspect Membrane's source code (repository URL in SKILL.md) before installing.

Purpose & Capability: okName/description (OneNote integration) match the SKILL.md: it documents using the Membrane CLI to create connections and run actions against OneNote. No unrelated credentials, binaries, or resources are requested.
Instruction Scope: okInstructions are focused on installing and using the Membrane CLI, authenticating, connecting to the Microsoft OneNote connector, listing and running actions, and creating actions as needed. The SKILL.md does not instruct reading unrelated files, exfiltrating data to arbitrary endpoints, or accessing unrelated system state.
Install Mechanism: noteThe SKILL.md tells users to install @membranehq/cli via npm (global install). There is no formal install spec in the registry metadata (instruction-only). Installing a CLI from the public npm registry is common for this use case but carries the usual risk of trusting the package; the request is proportionate to the stated purpose.
Credentials: okThe skill declares no required env vars, no config paths, and no secrets. Authentication is handled via Membrane's login flow (browser/authorization-code), which is appropriate for a third-party connector and consistent with the guidance in SKILL.md.
Persistence & Privilege: okThe skill does not request always:true or any elevated persistent presence; it is user-invocable and can be invoked autonomously by the agent (platform default). No instructions modify other skills or global agent settings.