Skillv1.0.1

ClawScan security

Tmetric · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 22, 2026, 9:08 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill is internally consistent with its stated purpose (TMetric integration via the Membrane CLI); it asks you to install and use the Membrane CLI but does not request unrelated credentials or perform unexpected operations in its instructions.
Guidance: This skill looks coherent: it uses the Membrane CLI to connect to TMetric and does not ask for unrelated secrets. Before installing or running it, verify the authenticity of the @membranehq/cli package on the npm registry and that the getmembrane.com / github repository belong to the vendor you trust. Prefer running commands with npx (npx @membranehq/cli@latest ...) instead of a global npm install when possible, or install in an isolated environment. Be aware that connecting through Membrane grants that service access to your TMetric data on your behalf, so review Membrane's privacy/security docs and your organization’s policy. If you need higher assurance, ask the publisher for the exact package/version to pin and review its source code on the linked GitHub repo prior to installation.

Review Dimensions

Purpose & Capability: okThe name/description (TMetric integration) aligns with the instructions: all runtime guidance is about using the Membrane CLI to connect to TMetric, find/build actions, and run them. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope: okSKILL.md only instructs installing/running the Membrane CLI, authenticating via membrane login, creating a connection for the tmetric connector, listing and running Membrane actions, and using JSON flags. It does not direct reading arbitrary files, accessing unrelated env vars, or exfiltrating data to unexpected endpoints.
Install Mechanism: noteThere is no formal install spec in the registry entry, but the instructions tell users to run a global npm install (npm install -g @membranehq/cli@latest) or use npx. Installing a global npm package executes code from the public registry and has moderate risk; this is, however, proportionate for a CLI-based integration. Consider using npx or verifying the package before a global install.
Credentials: okThe skill declares no required environment variables or credentials. The instructions explicitly state that Membrane handles auth server-side and that you should not supply API keys yourself. This is proportionate for an integration that delegates auth to a connector service.
Persistence & Privilege: okThe skill is instruction-only, has always: false, and does not request persistent system-wide changes or access to other skills' configs. Autonomous invocation is allowed by default (disable-model-invocation: false) which is normal for skills and not by itself a red flag.