Back to skill
Skillv1.0.3
ClawScan security
Samsara · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 22, 2026, 12:24 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's instructions, requirements, and actions are consistent with a Samsara integration that uses the Membrane CLI; there are no disproportionate credential or install demands in the skill bundle itself.
- Guidance
- This skill is coherent: it delegates Samsara access to the Membrane platform and instructs using the Membrane CLI. Before installing or following the instructions, consider: (1) only install CLIs from sources you trust — installing an npm package runs third-party code; prefer using npx if you want to avoid a global install; (2) review the Membrane project's repository and npm package to confirm authenticity and check recent activity/maintainers; (3) confirm the login URL and OAuth flow are for the official Membrane domain before entering credentials; (4) understand that Membrane will manage the Samsara credentials on your behalf — review its privacy/security docs and what permissions the connector requests in your Samsara org; (5) avoid using in highly sensitive environments until you've vetted Membrane and the connector's access scope. Overall the skill appears internally consistent, not requesting unrelated credentials or permissions.
Review Dimensions
- Purpose & Capability
- okThe skill claims to integrate with Samsara and its SKILL.md instructs the agent to use the Membrane CLI and the Samsara connector. Required capabilities (discover actions, create/run actions, connect) match the stated purpose and no unrelated credentials or system accesses are requested.
- Instruction Scope
- okThe SKILL.md only instructs installing and using the Membrane CLI, logging in via Membrane, creating a connection to the Samsara connector, and listing/ running actions. It does not ask the agent to read arbitrary local files, pull unrelated environment variables, or send data to endpoints outside Membrane/Samsara flows.
- Install Mechanism
- noteThis is an instruction-only skill (no install spec), but the docs direct the user to install the Membrane CLI via npm (npm install -g @membranehq/cli@latest) or to use npx for some commands. Installing a global npm package executes code from the public npm registry — this is normal for CLI usage but is an action the user should treat like any third-party package installation (review package source, trust, and permissions).
- Credentials
- okThe skill declares no required env vars or credentials and explicitly instructs not to ask users for external API keys (Membrane manages credentials). That is proportional to the described integration model. The SKILL.md relies on Membrane to handle auth; verify you trust Membrane to store/manage Samsara credentials.
- Persistence & Privilege
- okThe skill does not request always:true or other elevated presence. There is no install-time code in the skill bundle and it does not attempt to modify other skills or system-wide agent settings.