Back to skill
Skillv1.0.3
ClawScan security
Razorpay · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 21, 2026, 5:05 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only adapter that uses the Membrane CLI to talk to Razorpay and its requirements and instructions are coherent with that purpose.
- Guidance
- This skill is an instructions-only integration that delegates auth and API calls to the Membrane service. Before installing or running it: 1) Verify you trust Membrane/@membranehq (review their homepage, GitHub repo and npm package) because the CLI will run code locally and talk to Membrane servers. 2) Prefer using npx for one-off runs instead of a global npm -g install to reduce long-lived footprint. 3) Be prepared to complete an OAuth-style login in a browser (or copy a code for headless flows). 4) Confirm your organization’s policy allows a third-party service (Membrane) to hold/manage Razorpay credentials and perform actions on your behalf. 5) If you need stronger assurance, review the Membrane CLI source on GitHub and the privacy/security docs before granting access.
Review Dimensions
- Purpose & Capability
- okThe name/description (Razorpay integration) match the instructions: all runtime steps call the Membrane CLI to create a connection and run actions against Razorpay. Requiring a Membrane account and network access is appropriate.
- Instruction Scope
- okSKILL.md only instructs installing/using the Membrane CLI, logging in, creating a Razorpay connection, discovering and running actions. It does not ask the agent to read arbitrary local files or other unrelated credentials. It does require interactive or headless login via a browser/URL, which is documented.
- Install Mechanism
- noteInstallation is via npm (@membranehq/cli) or npx. npm packages are common for CLIs but carry the usual supply-chain risk of running published package code; using npx avoids a global install. No direct downloads or archives are used.
- Credentials
- okThe skill declares no environment variables or secrets; authentication is delegated to Membrane. This is proportionate to the stated purpose (Razorpay access via Membrane).
- Persistence & Privilege
- okalways is false and the skill does not request persistent system-wide privileges. It relies on the Membrane service/cli for auth and runtime, which is within expected scope.