Back to skill
Skillv1.0.3
ClawScan security
Slite · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 22, 2026, 1:02 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's instructions and requirements are internally consistent with a Slite integration that delegates auth and API work to the Membrane CLI — nothing requested is disproportionate to that purpose.
- Guidance
- This skill appears coherent: it relies on the Membrane CLI to connect your Slite workspace and run pre-built actions. Before installing or using it: (1) verify the Membrane project/package (homepage, repo, and npm publisher) so you trust the third party that will manage auth and data; (2) be aware that using the CLI sends auth flows and workspace data through Membrane’s service — review their privacy/security docs if that matters; (3) prefer using npx or inspect the package before running a global `npm install -g`, since global installs execute code from npm; and (4) never paste Slite API keys or other secrets into chat — follow the described browser-based login/connection flow instead. If you need higher assurance, ask for the skill's upstream repository or vendor contact and confirm the Membrane CLI release you will install.
Review Dimensions
- Purpose & Capability
- okName/description match the runtime instructions: the skill directs the agent to use the Membrane CLI to connect to Slite, discover actions, run actions, and create actions. No unrelated credentials, binaries, or config paths are requested.
- Instruction Scope
- noteInstructions focus on installing and using the Membrane CLI and its commands (login, connect, action list/run/create). They do not instruct reading unrelated files or environment variables. Note: auth is handled server-side by Membrane, so Slite data and auth tokens will be managed by the Membrane service as part of normal operation — users should be aware that data flows through that third-party service.
- Install Mechanism
- noteThe skill is instruction-only (no install spec) but tells users to run `npm install -g @membranehq/cli@latest` or use `npx`. Global npm installs execute code from the npm registry and install binaries system-wide — a common but non-trivial action. This is proportional to using a third-party CLI, but users should verify the package/source before installing.
- Credentials
- okThe skill declares no required env vars, no primary credential, and asks users to authenticate via Membrane's browser flow. It explicitly advises not to ask users for API keys. The requested access is proportional to a CLI-based integration.
- Persistence & Privilege
- okThe skill is not forced-always and does not request elevated or system-wide configuration changes. It is user-invocable and allows autonomous invocation by the agent (the platform default), which is appropriate for this integration.