Back to skill
Skillv1.0.3
ClawScan security
Quentn · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 22, 2026, 12:59 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's instructions, requirements, and behavior are consistent with a Quentn integration that uses the Membrane CLI; nothing requested is disproportionate to that purpose.
- Guidance
- This skill appears to be what it says: a Quentn integration that uses the Membrane CLI. Before installing or following the SKILL.md, consider: 1) you will need a Membrane account and to authorize Membrane to access your Quentn data (review what permissions the connection requests); 2) the doc asks you to run npm install -g @membranehq/cli (or use npx) — installing global npm packages executes code from the npm registry, so verify the package and publisher and prefer npx if you want to avoid a global install; 3) the skill delegates auth to Membrane, so trust in getmembrane.com / the @membranehq package is required; 4) the skill does not ask for local API keys or to read system files, but be cautious in headless flows where you might paste codes into a terminal. If you need higher assurance, verify the CLI source on the referenced GitHub repository and inspect the package before installing.
Review Dimensions
- Purpose & Capability
- okName/description (Quentn integration) align with the runtime instructions: the SKILL.md explains using the Membrane CLI to connect to Quentn, discover and run actions, and manage CRM objects. The required network access and a Membrane account are appropriate for this purpose.
- Instruction Scope
- okInstructions are limited to installing/using the Membrane CLI, authenticating via Membrane, creating connections, discovering and running actions, and polling action build status. The doc does not instruct reading unrelated files, scanning system config, or exfiltrating data to third-party endpoints beyond Membrane/Quentn.
- Install Mechanism
- noteThere is no platform install spec in the registry (skill is instruction-only). The SKILL.md instructs installing @membranehq/cli from npm (npm install -g or npx usage). This is expected for a CLI-driven integration but does involve fetching and installing code from the npm registry — verify the package and publisher before installing.
- Credentials
- okThe skill declares no required environment variables or credentials and explicitly delegates auth to Membrane. That is coherent: a connector-based approach avoids asking for API keys locally. The only external requirement is a Membrane account and network access.
- Persistence & Privilege
- okThe skill is not always-enabled and does not request elevation or modify other skills. It is instruction-only and does not claim persistent system-level presence or automatic installs.