Sonarcloud
v1.0.2SonarCloud integration. Manage Projects. Use when the user wants to interact with SonarCloud data.
⭐ 0· 117·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the instructions: the skill guides the agent to interact with SonarCloud via the Membrane platform. Requiring the Membrane CLI and a Membrane account is coherent with this purpose.
Instruction Scope
SKILL.md stays on-topic: it instructs installing the Membrane CLI, logging in, creating a SonarCloud connection, listing actions, running actions, or proxying requests. It does not instruct reading unrelated files, accessing unrelated environment variables, or exfiltrating data.
Install Mechanism
The install instruction is a global npm install (@membranehq/cli). Using a public npm package is reasonable for a CLI, but this is a network install that will place a binary on the host (global npm install). Users should verify the package and trust the publisher before installing.
Credentials
The skill declares no env vars or secrets and explicitly tells agents not to request API keys (Membrane handles auth). That is proportionate; however the Membrane CLI performs browser-based login and will persist auth state/tokens locally (and Membrane's servers will hold connection credentials), so users should be aware of where those credentials live.
Persistence & Privilege
The skill is instruction-only, does not request always:true, and does not modify other skills or system-wide configuration. It relies on the Membrane CLI and account but does not demand elevated or persistent platform privileges itself.
Scan Findings in Context
[no_regex_findings] expected: The static scanner found nothing because this is an instruction-only skill with no code files to analyze. That absence is expected but not evidence of safety; the SKILL.md is the primary surface to review.
Assessment
This skill appears coherent, but before installing: (1) verify the @membranehq/cli package (publisher and GitHub repo) to ensure you trust the source; (2) prefer installing in a controlled environment (avoid global installs on critical machines) or use npx if you don't want a global binary; (3) be aware membrane login will open a browser and store tokens (consider using a dedicated account if you have separation concerns); (4) do not paste other service credentials into chat—use the Membrane connection flow as documented; (5) if you need stronger assurance, review the Membrane CLI project's repository and release artifacts before running the install command.Like a lobster shell, security has layers — review code before you run it.
latestvk97a8ayfycr8g2ttwjd58bv5058433ph
License
MIT-0
Free to use, modify, and redistribute. No attribution required.