Back to skill
Skillv1.0.0
ClawScan security
Membership Manager · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 15, 2026, 11:38 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code and instructions match its stated purpose (managing membership records, reminders, and simple value calculations); it doesn't request credentials, install software, or contact external endpoints.
- Guidance
- The skill appears coherent and limited to local membership tracking. Before installing, verify how LocalStore persists data in your agent environment (where files are stored and whether they are synchronized/backed up externally). Avoid storing sensitive credentials, payment information, or account passwords in this tool—it stores membership metadata (expiry dates, counts, etc.) but is not designed as a secure credential vault. If you need networked account syncing, request explicit documentation of endpoints and encryption before use.
Review Dimensions
- Purpose & Capability
- okThe name/description (membership management, expiry reminders, benefit tracking) align with the included code: index.js implements adding memberships, expiry checks, unused-benefit listing, ROI calculation, and a dashboard. There are no unrelated capabilities or requests.
- Instruction Scope
- okSKILL.md contains only usage examples and high-level instructions for membership tasks. The runtime code operates on an internal LocalStore and does not read arbitrary files, environment variables, or send data externally. There is no scope creep in the instructions.
- Install Mechanism
- okNo install spec is provided (instruction-only install), so nothing is downloaded or written to disk during an install step beyond the normal skill code. The skill includes a single code file; there are no external fetches or archive extracts.
- Credentials
- okThe skill declares no required environment variables or credentials and the code does not access process.env. No secrets are requested, which is proportional to the described functionality.
- Persistence & Privilege
- noteThe code uses a LocalStore instance namespaced as 'membership-manager' to persist membership data locally, which is appropriate for this feature. As a note, persistence is local to the agent environment—the skill does not request 'always: true' or modify other skills' configs.