Back to skill
Skillv1.0.3
ClawScan security
Transifex · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 22, 2026, 7:28 PM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent: it delegates Transifex access to the Membrane CLI and asks the user to install and authenticate that CLI; there are no unrelated environment variables or hidden install steps, but it requires trusting the external Membrane service and an npm package.
- Guidance
- Before installing: verify the @membranehq/cli package and its maintainers (npm page and GitHub repo), and confirm how and where credentials are stored (local vs remote). Installing a global npm package requires elevated filesystem access — consider installing in a controlled environment (VM/container) if you are cautious. Understand that using this skill routes Transifex access through Membrane (getmembrane.com); if you require direct control of API keys or avoid third-party intermediaries, consider a different integration approach. Review CLI commands and output (use --json for machine-readable output) and confirm privacy/security practices from Membrane's docs or repo. If anything about the package source or credential handling is unclear, ask the publisher for details before proceeding.
Review Dimensions
- Purpose & Capability
- okThe skill's name/description (Transifex integration) match the runtime instructions: all actions go through the Membrane CLI which then connects to a Transifex connector. There are no unexpected credentials or unrelated capabilities requested.
- Instruction Scope
- okSKILL.md contains CLI-centric instructions (install Membrane CLI, login, create connection, list actions, create actions). It does not instruct the agent to read arbitrary local files, environment variables, or other unrelated system state. It does require interactive login flows (authorization URL/code).
- Install Mechanism
- noteThere is no manifest install spec; the instructions ask the user to run npm install -g @membranehq/cli@latest. Installing a global npm package is a normal but moderately risky step (public registry package execution). The skill itself does not embed or download arbitrary archives.
- Credentials
- noteThe skill declares no required env vars or credentials because Membrane is expected to handle auth. This is coherent, but it means Membrane (and the installed CLI) will hold or proxy your Transifex credentials/data — you must trust that third party. No unrelated secrets are requested.
- Persistence & Privilege
- okalways is false and there are no instructions to modify other skills or system-wide agent settings. The skill relies on an external CLI and connections stored/managed by Membrane, which is expected behavior for this integration.