Back to skill
Skillv1.0.0
ClawScan security
Time Tracker By Ebillity · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 5, 2026, 12:05 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only integration that uses the Membrane CLI to proxy requests to Time Tracker by eBillity; the commands and requirements align with its stated purpose and do not request unrelated system access or credentials.
- Guidance
- This skill appears to do what it says: it uses the Membrane CLI to access Time Tracker by eBillity. Before installing, (1) verify and trust the @membranehq/cli npm package and its publisher (check npmjs, GitHub repo, and package version); (2) review Membrane's privacy/security docs and terms because connections and proxied requests (and possibly user data) will be handled by Membrane's service; (3) prefer running one-off commands with 'npx' or in an isolated environment if you do not want to install a global package; and (4) avoid sending highly sensitive secrets or unrelated data through the proxy unless you are comfortable with Membrane handling them.
Review Dimensions
- Purpose & Capability
- okThe name/description match the SKILL.md content: it instructs the agent to use the Membrane CLI to interact with Time Tracker by eBillity. All required capabilities (network, Membrane account, Membrane CLI) are consistent with the stated purpose.
- Instruction Scope
- okRuntime instructions are limited to installing/using the Membrane CLI, creating connections, listing actions, running actions, and proxying API requests via Membrane. The instructions do not ask the agent to read arbitrary system files, unrelated env vars, or perform out-of-scope data collection.
- Install Mechanism
- noteThere is no platform install spec, but SKILL.md directs installing the Membrane CLI via 'npm install -g @membranehq/cli' (and suggests npx in one place). Installing a global npm package is a normal approach but has moderate risk compared with an instruction-only flow because it writes code to disk and gains command-line privileges; you should vet the npm package and publisher before installing.
- Credentials
- noteThe skill itself requests no environment variables or secrets. However, it relies on Membrane to manage authentication and proxies requests to the target API — this means authentication tokens and proxied request payloads will be handled by Membrane's service, so users should be aware that potentially sensitive data will transit and be stored/processed by Membrane.
- Persistence & Privilege
- okThe skill is not always-enabled and is user-invocable; it does not request elevated agent persistence or modify other skills. There is no install script in the skill bundle that would alter agent-wide settings.