Back to skill
Skillv1.0.3
ClawScan security
15Five · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 21, 2026, 3:05 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions are coherent with a 15Five integration: it delegates auth and API calls to the Membrane CLI/service and does not ask for unrelated secrets or system access.
- Guidance
- This skill is coherent: it relies on the Membrane CLI/service to authenticate and run 15Five actions rather than asking for direct API keys. Before installing or using it, verify that @membranehq/cli is the legitimate package you expect (check the npm org, repository and homepage), and be aware that 'npm install -g' adds a global binary to your system. The workflow requires you to complete a browser-based (or headless code) login to grant access — do not paste secrets into chat; follow the CLI prompts. If you do not trust Membrane as a third party, do not install or connect it to your 15Five data.
Review Dimensions
- Purpose & Capability
- okThe skill description (15Five integration) matches the instructions: it uses the Membrane CLI to create connections and run pre-built or custom actions against 15Five. Nothing requested is unrelated to that purpose.
- Instruction Scope
- noteSKILL.md instructs the agent/user to install and run the Membrane CLI, log in (which may open a browser or provide a headless code), create a connection for the 15five connector, discover actions, and run them. This stays within the integration scope. Note: the instructions ask users to install and run commands locally and to complete browser-based authentication flows; those are expected but require user attention.
- Install Mechanism
- noteThere is no formal install spec in the registry, but SKILL.md tells the user to run 'npm install -g @membranehq/cli@latest'. Global npm installs are a common but higher-risk install vector than 'no install'; users should verify the package identity and provenance before installing.
- Credentials
- okThe skill does not declare or require environment variables or credentials. It explicitly instructs to let Membrane handle credentials server-side and not to request user API keys, which is proportionate to its stated behavior.
- Persistence & Privilege
- okThe skill does not request always-on presence and makes no system-wide configuration changes in the instructions. Autonomous invocation is allowed by default but not combined with other concerning privileges.