Back to skill
Skillv1.0.3
ClawScan security
Datarobot · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 21, 2026, 7:02 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only connector that routes DataRobot operations through the Membrane CLI; its requirements and instructions are coherent with the described purpose.
- Guidance
- This skill is an instructions-only integration that requires you to install the Membrane CLI (npm install -g @membranehq/cli) and sign in to a Membrane account. Before installing or running actions: 1) Verify the @membranehq/cli npm package and publisher (review the package on npm/GitHub) because global npm installs place binaries on your PATH. 2) Be careful running actions that delete resources — review action input and ID values before executing destructive commands. 3) Understand that authentication is handled by Membrane: the CLI will store credentials locally and the connection flow may involve directing DataRobot credentials through Membrane. If you need a higher safety margin, run the CLI in an isolated environment or container and inspect the connection/action definitions returned by membrane action list before running them.
Review Dimensions
- Purpose & Capability
- okName/description promise DataRobot integration and all instructions are about installing and using the Membrane CLI to talk to DataRobot. There are no unrelated credential or config requests.
- Instruction Scope
- noteSKILL.md is narrowly focused on installing the Membrane CLI, logging in, creating a Membrane–DataRobot connection, discovering and running actions. It documents potentially destructive actions (delete-project, delete-dataset, delete-deployment) — which is expected for a full-management integration but warrants user caution before running those actions.
- Install Mechanism
- noteThere is no platform install spec in the package metadata, but SKILL.md instructs a global npm install (@membranehq/cli). That's a standard way to install a CLI but carries the usual tradeoffs of running third-party npm packages with global privileges; expected for a CLI-driven skill but worth reviewing the package and publisher.
- Credentials
- okThe skill declares no required env vars or credentials. It relies on the Membrane login flow (interactive or headless) to obtain credentials and to manage DataRobot auth; this matches the stated design and does not request unrelated secrets.
- Persistence & Privilege
- okalways is false and the skill is instruction-only. It does not request permanent platform privileges or modifications to other skills. Membrane login will store credentials as part of normal CLI behavior — expected for this use case.