Back to skill
Skillv1.0.3
ClawScan security
Statuspage Io · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 22, 2026, 1:16 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent: it is an instruction-only integration that delegates auth and actions to the Membrane CLI for interacting with Statuspage.io and does not request unrelated credentials or system access.
- Guidance
- This skill is instruction-only and uses the Membrane CLI to access Statuspage.io. Before installing or running it: verify the @membranehq/cli package and its GitHub repository (ensure the upstream project is trustworthy), prefer using npx for one-off runs rather than a global install if you want less footprint, and be aware that authentication is handled by Membrane (you will complete login in a browser and Membrane will manage tokens server-side). If you need tighter control over credentials, review Membrane's privacy/security docs and the CLI source before proceeding.
Review Dimensions
- Purpose & Capability
- okName and description match the runtime instructions: all operations are performed via the Membrane CLI against Statuspage.io. There are no unrelated credentials, binaries, or config paths requested.
- Instruction Scope
- okSKILL.md constrains actions to installing and using the Membrane CLI (login, connect, action list/create/run) and does not instruct reading arbitrary files, environment variables, or sending data to unexpected endpoints. It does require a Membrane account and network access, which are documented.
- Install Mechanism
- noteThe instructions ask the user to run npm install -g @membranehq/cli@latest (or npx in examples). This is a typical way to obtain a CLI but does involve installing a third-party npm package globally; this is expected for a CLI-driven integration but is a moderate-risk action that depends on trusting the @membranehq package source and the npm registry.
- Credentials
- okThe skill declares no required env vars or primary credential. It explicitly delegates authentication to Membrane, so no local API keys are requested. The requested access is proportionate to the described purpose.
- Persistence & Privilege
- okThe skill is not marked always:true and does not request persistent system-wide changes or access to other skills' configs. Autonomous invocation is allowed by default (normal) but not elevated here.