Back to skill
Skillv1.0.3
ClawScan security
Sportsdata · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 22, 2026, 1:10 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's instructions, requirements, and actions are coherent with its stated purpose (integrating SportsData via the Membrane CLI); it asks you to install and use Membrane and a Membrane account but does not request unrelated credentials or access to unexpected files.
- Guidance
- This skill appears coherent: it uses the Membrane CLI to manage a SportsData connection and run actions. Before installing: 1) Verify you trust Membrane (review their homepage, package on npm, and privacy/permission docs) because you'll be granting it access to SportsData on your behalf. 2) Prefer running commands with npx or a local install rather than npm install -g if you want to avoid system-wide changes. 3) Use an account with limited permissions for testing, and confirm what data the Membrane connection will access. 4) Be aware the CLI will open an auth flow (or provide a code) — do not paste sensitive unrelated tokens into the CLI prompts. There are no other unexpected environment or file-access requests in the skill.
Review Dimensions
- Purpose & Capability
- okThe name/description say 'SportsData integration' and the SKILL.md consistently instructs use of the Membrane CLI to connect to a SportsData connector, discover and run actions. There are no unrelated env vars, binaries, or paths requested.
- Instruction Scope
- okThe runtime instructions are scoped to installing/using the Membrane CLI, logging in, creating a connection, listing/creating actions, and running them. The doc does not instruct reading arbitrary files, harvesting environment variables, or sending data to unexpected endpoints.
- Install Mechanism
- noteThis is an instruction-only skill (no install spec). It tells users to install @membranehq/cli via npm install -g (or use npx). Installing a global npm CLI executes third-party code from the npm registry, which is a normal but non-trivial action — verify the package and prefer npx or a scoped install if you want fewer system-wide changes.
- Credentials
- okThe skill declares no required environment variables or secrets. Authentication is delegated to the Membrane service via interactive login/connection, which is proportionate to the task. Note that connecting will give Membrane (and thus its connector) the ability to access SportsData on your behalf, so you should trust the Membrane service.
- Persistence & Privilege
- okThe skill is not always-on and does not request elevated or persistent system privileges. It does not modify other skills or system-wide agent settings in the instructions. Autonomous invocation is enabled by default but that is normal and not combined with other red flags here.