Back to skill
Skillv1.0.3
ClawScan security
Smartsuite · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 21, 2026, 12:04 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's instructions, requirements, and recommended CLI install are consistent with a Smartsuite integration that uses Membrane; there are no unexplained credentials or scope creep, though installing a global npm CLI carries the usual supply-chain considerations.
- Guidance
- This skill appears internally consistent: it asks you to install and use the Membrane CLI to manage Smartsuite data and does not request unrelated secrets. Before installing, verify you trust the @membranehq package (check the npm page and GitHub repo), prefer installing in a contained environment if you have concerns (e.g., container or VM), confirm the CLI version you install, and be aware that the Membrane service will have access to your Smartsuite data once you connect an account. If you need higher assurance, review the CLI source and package publish history before running a global npm install.
Review Dimensions
- Purpose & Capability
- okThe skill describes Smartsuite integration and exclusively instructs use of the Membrane CLI to connect to Smartsuite and run actions. Requested capabilities (network access and a Membrane account) match the stated purpose.
- Instruction Scope
- okSKILL.md only instructs installing and using the Membrane CLI, creating connections, searching and running actions, and handling headless login flows. It does not ask the agent to read unrelated files, exfiltrate secrets, or contact unexpected endpoints beyond Membrane/Smartsuite.
- Install Mechanism
- noteThere is no formal install spec in the registry, but the skill instructs users to run a global npm install (npm install -g @membranehq/cli@latest). Requiring an npm-installed CLI is reasonable for this purpose, but installing global npm packages introduces normal supply-chain risks and should be done from a trusted package and environment.
- Credentials
- okThe skill declares no environment variables or credentials. Authentication is delegated to Membrane's CLI/login flow, which is proportionate to the integration's needs. No unrelated credentials are requested.
- Persistence & Privilege
- okThe skill does not request always:true, does not modify other skills or system-wide settings, and is user-invocable. It does not request elevated or persistent platform privileges beyond normal CLI usage.