Back to skill
Skillv1.0.3
ClawScan security
Exact Online · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 21, 2026, 1:04 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requests and instructions are consistent with an Exact Online integration via the Membrane CLI; nothing requested appears unrelated to its stated purpose.
- Guidance
- This skill appears coherent: it uses the Membrane platform/CLI to access Exact Online and asks only for the normal OAuth-style login handled by Membrane. Before installing or following the SKILL.md: (1) Verify the @membranehq/cli npm package and its publisher (review the package page and the linked GitHub repo) because a global npm install runs third-party code. (2) Confirm Membrane's privacy and credential storage practices — the connection will grant access to Exact Online data, so use a least-privileged account or a test tenant if possible. (3) Review the Exact Online connector permissions when you authenticate and revoke access you don't want. (4) If you prefer lower risk, run the CLI in an isolated environment (container or dedicated VM) rather than installing globally. If you want deeper assurance, provide the repository/package URLs and a sample connection flow for a closer code-level review.
Review Dimensions
- Purpose & Capability
- okThe name/description say 'Exact Online' and the SKILL.md instructs using the Membrane CLI to connect to Exact Online — requiring network access and a Membrane account. Required auth and tooling (Membrane CLI, connection creation) align with the integration purpose; no unrelated credentials or binaries are requested.
- Instruction Scope
- okThe instructions only describe installing and using the Membrane CLI (login, connect, list actions, run actions). They do not ask the agent to read arbitrary files, environment variables, system paths, or to transmit data to unexpected endpoints.
- Install Mechanism
- noteThe registry has no install spec (instruction-only). SKILL.md recommends installing @membranehq/cli via npm -g, which is a normal approach for a CLI. This depends on trusting the npm package/publisher (global npm installs execute code on the host).
- Credentials
- okThe skill declares no required environment variables or credentials. Authentication is delegated to Membrane's login flow (browser/authorization code), which is proportionate for accessing Exact Online data.
- Persistence & Privilege
- okThe skill is not marked always:true and requests no system-wide config or cross-skill credentials. It is an instruction-only integration and does not ask for elevated/persistent privileges.