Back to skill
Skillv1.0.1
ClawScan security
Revamp Crm · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 21, 2026, 5:05 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's instructions, requirements, and actions are coherent for a Membrane-based Revamp CRM integration and do not request unrelated credentials or system privileges.
- Guidance
- This skill appears to be what it says: a Membrane-based Revamp CRM integration. Before installing: verify you trust the @membranehq/cli package (inspect the npm package and upstream repo), prefer using npx for one-off commands if you want to avoid a global install, and be aware the CLI will open a browser or provide an auth URL for you to complete login (you will paste back a code in headless environments). No extra credentials are requested by the skill itself, but the integration requires a Membrane account and network access. If you are cautious, review the Membrane CLI source or run commands in a controlled environment (sandbox/VM) first.
Review Dimensions
- Purpose & Capability
- okThe name/description (Revamp CRM integration) match the instructions: they call the Membrane CLI to connect to Revamp CRM, discover and run actions, and create actions. Requested tools (Membrane CLI via npm) are appropriate to that purpose.
- Instruction Scope
- okSKILL.md only instructs installing and using the Membrane CLI, authenticating via browser/URL, creating/listing connections and actions, and running actions. It does not direct the agent to read unrelated files, request unrelated credentials, or exfiltrate data to unexpected endpoints.
- Install Mechanism
- noteInstallation is instruction-only but directs users to install @membranehq/cli globally via npm (npm install -g). This is expected for a CLI-based integration but carries the usual trust/risk of installing and running a third-party global npm package. Using npx as shown in examples reduces the need for a global install.
- Credentials
- okThe skill declares no required environment variables or credentials and explicitly instructs to let Membrane manage credentials. No unrelated secrets are requested.
- Persistence & Privilege
- okThe skill is not set to always:true and does not request system-wide configuration changes. It is instruction-only and does not ask to modify other skills or global agent settings.