Back to skill
Skillv1.0.1
ClawScan security
Upayments · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 22, 2026, 11:04 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only integration that consistently directs the agent/user to use the Membrane CLI to manage UPayments connections; its requirements and instructions match its stated purpose and do not ask for unrelated credentials or system access.
- Guidance
- This skill is coherent: it tells you to install and use the Membrane CLI to connect to UPayments and does not request unrelated secrets. Before installing, verify the @membranehq package and the getmembrane.com project (check the npm package page and the GitHub repo linked in the SKILL.md) to ensure you're installing the official CLI. Installing global npm packages runs code on your machine—if you have doubts, install in an isolated environment or use `npx` to avoid globally mutating your system. Confirm what permissions a created Membrane connection grants and use a test/sandbox UPayments account if possible.
Review Dimensions
- Purpose & Capability
- okName/description indicate an integration with UPayments and all instructions, commands, and dependencies (membrane CLI, network, Membrane account) are directly related to connecting to and running actions against UPayments via Membrane. No unrelated credentials or unrelated binaries are requested.
- Instruction Scope
- okSKILL.md limits runtime actions to installing and using the Membrane CLI, authenticating via membrane login, creating connections, discovering and running actions. It does not instruct reading arbitrary files, exfiltrating data, or accessing environment variables beyond the normal CLI auth flow.
- Install Mechanism
- noteThere is no skill install spec, but the instructions ask the user to run `npm install -g @membranehq/cli@latest` (and suggest `npx` in examples). Installing a global npm package is a reasonable and expected step for a CLI-based integration, but npm installs execute code from the public registry so users should verify the package provenance (@membranehq) before installing.
- Credentials
- okThe skill declares no required environment variables or credentials and explicitly advises not to ask users for API keys, instead using Membrane-managed connections. This is proportionate for a third-party connector that delegates auth to Membrane.
- Persistence & Privilege
- okThe skill is instruction-only, has no always:true flag, and does not request persistent system privileges or modification of other skills. It does instruct installing a CLI, but that is limited to the user's environment and is expected for CLI usage.