Skillv1.0.3

ClawScan security

Surveymonkey · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 21, 2026, 2:06 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is internally consistent: it delegates SurveyMonkey access to the Membrane CLI and does not request unrelated credentials, but it requires installing a third-party CLI and routes data through Membrane (a third-party service) which you should review before use.
Guidance: This skill is coherent for SurveyMonkey integration but routes auth and data through Membrane. Before installing or using it: (1) verify Membrane (@membranehq/cli) on npm and review its source/release provenance; (2) understand that connecting will create a server-side connection in Membrane which will see SurveyMonkey data — review Membrane's privacy/security policy and your organization's rules about third-party data processors; (3) installing the CLI globally runs code on your machine — consider installing in a sandbox or using a least-privilege account; (4) don't share your primary SurveyMonkey admin account if you can create a scoped/integration account; and (5) if you need to avoid sending data to third parties, do not use this skill and instead integrate directly with SurveyMonkey APIs under your own control.

Purpose & Capability: okThe name/description (SurveyMonkey integration) matches the instructions: all actions are performed via the Membrane CLI and the workflow (connect, list actions, run actions) is coherent for this purpose.
Instruction Scope: noteSKILL.md instructs using membrane login/connect/action commands and explicitly says Membrane handles auth server-side (no API keys requested). This is coherent, but it means SurveyMonkey data and credentials are mediated by Membrane — users should be aware of that external data flow.
Install Mechanism: noteNo install spec in the registry; the README tells users to run `npm install -g @membranehq/cli@latest`. Installing a global npm CLI is expected for this integration but does download and run third-party code on the host — verify the package and its trustworthiness before installing.
Credentials: okThe skill requests no environment variables or local config paths and relies on Membrane for credentials. The requested access is proportional to the declared functionality.
Persistence & Privilege: okSkill is instruction-only, not always-enabled, and does not request persistent system-level privileges or modify other skills' configs.