Skillv1.0.3

ClawScan security

Zulip · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 22, 2026, 7:20 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions generally match a Zulip integration via the third‑party Membrane CLI, but there are inconsistencies (declared requirements vs. actual commands) and it routes auth/data through an external service and npm-installed tooling — things you should review before installing.
Guidance: Before installing or running this skill: (1) understand that it routes Zulip access through a third‑party service (Membrane) — review Membrane's privacy, security, and data retention policies and only proceed if you trust them; (2) the SKILL.md requires npm/node (global install or npx) even though the registry metadata does not list required binaries — installing global npm packages can execute code from the npm registry, so vet the package (@membranehq/cli) and prefer running in a sandbox; (3) the skill intentionally avoids asking for raw API keys, but that means Membrane will hold/mediate credentials — ensure that level of delegation is acceptable; (4) ask the publisher for clarification or updated metadata listing required binaries and a canonical Membrane project homepage/repository if you want higher assurance. If you cannot trust or verify Membrane, consider integrating directly with Zulip using your own API tokens instead.

Review Dimensions

Purpose & Capability: noteThe skill claims to integrate with Zulip and its instructions use Membrane to do so, which is coherent. However, the registry metadata lists no required binaries or env vars even though the SKILL.md expects npm/npx and the membrane CLI to be available/installed — a mismatch between declared requirements and actual usage.
Instruction Scope: noteSKILL.md stays on-topic (install Membrane CLI, login, create a connection, discover/run actions). It does not instruct the agent to read unrelated files or exfiltrate data, but it tells the user/agent to install and run third‑party tooling and to send credentials/requests through Membrane — which broadens the effective scope to include the Membrane service.
Install Mechanism: concernThere is no formal install spec in the registry, but the instructions tell the user/agent to run `npm install -g @membranehq/cli@latest` and use `npx`. Installing global npm packages or running npx will fetch and execute code from the npm registry; this is common but increases risk compared to an instruction-only skill that requires nothing be installed. The skill does not declare this dependency in metadata.
Credentials: concernThe skill declares no required env vars or primary credential, yet operation relies on a Membrane account and a browser-based/login flow that hands auth to Membrane. That centralizes access to Zulip credentials/operations in a third-party service (Membrane). The lack of declared credentials and the expectation that Membrane 'handles auth' is a potential privacy/consent concern and should be justified to the user.
Persistence & Privilege: okThe skill is not always-enabled and uses normal autonomous invocation settings (disable-model-invocation=false). It does not request persistent system-wide configuration or claim to modify other skills. No elevated persistence privileges are requested.