Back to skill
Skillv1.0.3
ClawScan security
Suitedash · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 22, 2026, 11:58 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's instructions, dependencies, and required access align with its stated SuiteDash integration purpose: it directs use of the Membrane CLI for auth and actions and does not ask for unrelated credentials or system access.
- Guidance
- This skill is internally coherent: it delegates auth and API calls to the Membrane CLI rather than asking you for SuiteDash keys. Before installing, verify the @membranehq/cli package and getmembrane.com reputation (check the npm package page and GitHub repo), and review Membrane's privacy/security docs because your SuiteDash data will flow through their service. Be aware that running npm install -g executes code from the public registry—only proceed if you trust the package source. If you need stricter control, consider using an independently audited connector or reviewing the Membrane CLI source first.
Review Dimensions
- Purpose & Capability
- okThe name/description say 'SuiteDash integration' and the SKILL.md instructs use of the Membrane CLI to connect to SuiteDash, discover actions, and run them. Requiring a Membrane account and network access is coherent with this purpose. The skill does not request unrelated credentials or binaries.
- Instruction Scope
- okRuntime instructions are limited to installing/using the Membrane CLI (npm commands, membrane login, connect, action list/run). They don't direct the agent to read arbitrary files, harvest unrelated environment variables, or transmit data to unexpected third parties. The doc explicitly advises letting Membrane handle credentials and not asking users for API keys.
- Install Mechanism
- noteThere is no formal install spec in the registry (instruction-only). The SKILL.md tells users to install @membranehq/cli via npm (global install or npx). That is a normal, traceable public-registry install, but installing global npm packages executes third-party code from the npm registry — a moderate operational consideration for users.
- Credentials
- okThe skill declares no required environment variables or primary credentials. It relies on Membrane-managed authentication (OAuth/browser flow) rather than asking for API keys or secrets, which is proportionate to its stated function.
- Persistence & Privilege
- okFlags: always:false, user-invocable:true, disable-model-invocation:false (normal). The skill does not request persistent system-wide changes or access to other skills' configs. Autonomous invocation is allowed but not unusual; nothing indicates elevated or permanent privileges.