Skillv1.0.3

ClawScan security

7Shifts · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 21, 2026, 3:04 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is an instruction-only integration that tells the agent to use the Membrane CLI to operate on 7shifts; its requirements and instructions are consistent with that purpose.
Guidance: This skill is instruction-only and appears coherent: it instructs use of the Membrane CLI to talk to 7shifts and does not ask for unrelated credentials. Before installing/using it, consider: 1) Verify the Membrane CLI package (@membranehq/cli) on npm/GitHub and prefer a pinned version or review the package source to reduce supply-chain risk. 2) A global npm install writes a binary into your PATH and requires appropriate privileges—install in a contained environment (container, VM, or nvm-managed node) if you want to limit impact. 3) The auth flow opens a browser or uses a code for headless systems—be prepared for manual completion and confirm any authorization scopes requested. 4) Confirm you trust getmembrane.com and the Membrane account used, since Membrane will hold credentials/refresh tokens for connected services. If any of these are unacceptable, do not install or use the CLI until you can validate the vendor and package.

Purpose & Capability: okName/description (7shifts integration) match the runtime instructions: it instructs use of the Membrane CLI to connect to 7shifts and run actions. No unrelated credentials, binaries, or system paths are requested.
Instruction Scope: okSKILL.md confines the agent to installing and using the Membrane CLI (login, connect, action list/run). It does not instruct reading unrelated files or exfiltrating data. It explicitly advises not to ask users for API keys and documents interactive/headless auth flows.
Install Mechanism: noteInstallation is instruction-only and recommends npm install -g @membranehq/cli@latest. A global npm install is a common but moderate-risk choice (supply-chain and privilege considerations). This install instruction is proportionate to using the Membrane CLI, but users should verify the package source/version before installing globally.
Credentials: okNo environment variables, secrets, or config paths are required by the skill. The only external requirement is a Membrane account and network access, which are appropriate for this integration.
Persistence & Privilege: okalways:false (normal). The skill does not request permanent presence or attempt to modify other skills or system-wide configs. Autonomous invocation is allowed by platform default and is not combined with other red flags.