Back to skill
Skillv1.0.3
ClawScan security
Unbounce · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 22, 2026, 1:54 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only Unbounce integration that consistently delegates auth and API interactions to the Membrane CLI/service; the requested actions and dependencies match the described purpose.
- Guidance
- This skill delegates Unbounce access to the Membrane service and asks you to install @membranehq/cli and complete a browser-based login. If you plan to use it: (1) confirm you trust Membrane (review getmembrane.com and the @membranehq npm package/repo and published versions), (2) be aware Membrane will store/manage your Unbounce credentials and will be able to access your Unbounce data, (3) global npm installs modify your system PATH and require permissions—consider using a controlled environment or container, and (4) if you need a smaller blast radius, test with a non-production Unbounce account or review Membrane's privacy/security docs before granting access.
Review Dimensions
- Purpose & Capability
- okThe name/description (Unbounce integration) align with the runtime instructions (use Membrane CLI to connect to Unbounce and run actions). The commands and flows described are what you'd expect for a connector-based integration.
- Instruction Scope
- okSKILL.md only instructs installing and using the Membrane CLI, logging in, creating a connection, discovering actions, and running them. It does not instruct reading unrelated files, accessing unrelated env vars, or exfiltrating data beyond the Unbounce/Membrane context.
- Install Mechanism
- noteThere is no registry install spec—installation is an instruction to run `npm install -g @membranehq/cli@latest`. That is a common approach but requires network access and elevated permissions and will install a third-party CLI globally; users should verify the package/source before installing.
- Credentials
- okThe skill declares no required env vars or credentials. It relies on Membrane for auth (server-side), which is proportionate for a connector that must access user Unbounce data. Users should understand that Membrane will hold the Unbounce credentials on their behalf.
- Persistence & Privilege
- okSkill is instruction-only, not always-enabled, and requests no system config paths or persistent privileges. Autonomous invocation remains enabled (platform default) but is not combined with broad access here.