Back to skill
Skillv1.0.3
ClawScan security
Teamleader · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 28, 2026, 9:14 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and instructions are coherent for a Teamleader integration that uses the Membrane CLI; nothing requested or instructed is disproportionate to that purpose.
- Guidance
- This skill appears to do what it says: it instructs you to install and use the Membrane CLI to interact with Teamleader. Before installing and using it: (1) verify the @membranehq/cli package and its publisher on npm (global installs add a system binary), (2) understand that Membrane will hold/manage your Teamleader credentials (trust the service and review its privacy/security docs), (3) perform authentication steps in a trusted environment (avoid running in highly privileged or production hosts if you want to limit token persistence), and (4) when in doubt, run the CLI in an isolated container or throwaway VM to evaluate behavior first.
Review Dimensions
- Purpose & Capability
- okName/description indicate a Teamleader integration and the SKILL.md exclusively instructs the agent to use the Membrane CLI to find connections, run actions, and proxy requests to Teamleader — which is exactly what you'd expect for this purpose.
- Instruction Scope
- okThe instructions are focused on installing and using the Membrane CLI, authenticating, creating/ensuring connections, listing/running actions, and optionally proxying API requests. They do not direct the agent to read unrelated system files, access unrelated environment variables, or exfiltrate arbitrary data.
- Install Mechanism
- noteThere is no automated install spec in the skill bundle (it's instruction-only). The SKILL.md recommends a global npm install of @membranehq/cli@latest. Installing a global npm package is a normal but moderately privileged action (writes a binary to the system PATH and pulls code from the public npm registry); users should verify the package and source before installing.
- Credentials
- okThe skill declares no required environment variables or credentials. It relies on Membrane to handle authentication and credential refresh for Teamleader, which is proportionate to the described integration. Note: using Membrane means Membrane (and its CLI/service) will hold/access the Teamleader tokens on behalf of the user.
- Persistence & Privilege
- noteThe skill does not request always: true and is not automatically persistent. However, following the instructions results in installing a CLI (persistent binary) and authenticating a Membrane account/connection, which will persist credentials/tokens within Membrane or the CLI's storage. This is expected but worth awareness.