Skillv1.0.1

ClawScan security

Mozilla Observatory · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 22, 2026, 9:24 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's instructions, requirements, and behaviors are consistent with a Membrane-based integration for interacting with Mozilla Observatory data; nothing requested is disproportionate to that purpose.
Guidance: This skill is an instruction-only integration that uses the Membrane CLI to talk to Mozilla Observatory. Before installing or running it: 1) Verify you trust Membrane (getmembrane.com) and inspect the @membranehq/cli npm package and its GitHub repo if you can. 2) Prefer using npx for one-off runs instead of a global npm install, and avoid running npm install -g as root. 3) Be aware you will need to authenticate via Membrane (browser or URL+code) and that Membrane will hold the connection credentials server-side. 4) If you do not want autonomous agent actions, keep the skill user-invocable only or disable autonomous invocation in your agent settings. 5) The absence of code files in the skill bundle means the runtime behavior depends on the external Membrane CLI/service — verify those external components before trusting the integration.

Purpose & Capability: okThe SKILL.md consistently describes using the Membrane connector for Mozilla Observatory and only asks you to install and use the Membrane CLI. Required capabilities (network access, Membrane account) match the stated purpose; no unrelated services or credentials are requested.
Instruction Scope: okInstructions are limited to installing/using the Membrane CLI, authenticating via Membrane, creating connections, discovering and running actions. The document does not instruct reading arbitrary files, accessing unrelated environment variables, or sending data to unexpected endpoints.
Install Mechanism: okThere is no automatic install spec in the skill bundle; the README recommends installing @membranehq/cli from the public npm registry (npm install -g) or using npx. Installing from npm is a standard approach and is proportionate to the CLI-based workflow described.
Credentials: okThe skill declares no required environment variables or credentials. It relies on Membrane's own auth flow (browser-based or headless URL + code) rather than asking for API keys or secrets locally, which is appropriate for this integration.
Persistence & Privilege: okThe skill is user-invocable, not always-enabled, and does not request elevated platform privileges or permanent presence. It does not modify other skills or system-wide agent settings.