Back to skill
Skillv1.0.3
ClawScan security
Snipe It · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 22, 2026, 1:25 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's instructions and requirements align with its stated purpose (using the Membrane CLI to interact with Snipe‑IT) and it does not ask for unrelated credentials or system access, but it requires trusting the third‑party Membrane service and installing an npm CLI tool.
- Guidance
- This skill appears coherent: it instructs you to install and use the Membrane CLI to manage Snipe‑IT and does not request unrelated system access. Before installing: (1) verify you trust Membrane (getmembrane.com/@membranehq repository) because credentials and API access are handled server‑side; (2) prefer creating a least‑privilege Snipe‑IT account (not admin) for integration; (3) be aware that installing a global npm package runs code on your machine—consider using npx or installing in a sandbox/container or with non‑root privileges; (4) check Membrane’s privacy/security docs and OAuth scopes when you connect; (5) when running in headless or shared environments, follow safe auth practices (do not paste authorization codes into public logs).
Review Dimensions
- Purpose & Capability
- okName/description claim Snipe‑IT integration and all runtime instructions focus on using the Membrane CLI to connect to Snipe‑IT, discover or build actions, and run them. No unrelated credentials, binaries, or paths are requested, so requested capabilities are coherent with the stated purpose.
- Instruction Scope
- okSKILL.md instructs installing and using @membranehq/cli, performing login via browser/URL, creating connections, listing and running actions. It does not instruct reading arbitrary files, accessing other environment variables, or exfiltrating data to unknown endpoints. It does require network access and interactive authentication, which is expected for this integration.
- Install Mechanism
- noteThis is instruction‑only (no install spec), but it tells users to install a global npm package or use npx. Installing software from the npm registry is common here but carries the usual trust/execution risk (arbitrary code run on install). The guidance references official Membrane distribution (npm/@membranehq) and provides a homepage/repository, which is expected for this workflow.
- Credentials
- okThe skill declares no required env vars or credentials. However, it delegates auth to Membrane, meaning Snipe‑IT credentials (or OAuth tokens) will be managed server‑side by Membrane. That is proportionate to the skill’s purpose but requires trusting the third party with your Snipe‑IT access.
- Persistence & Privilege
- okThe skill is not always:true and does not request persistent elevated privileges or changes to other skills. It allows normal autonomous invocation (the platform default), which is not itself a concern in this context.