Back to skill
Skillv1.0.4
ClawScan security
Geodb Cities · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 21, 2026, 9:02 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only wrapper that tells the agent to use the Membrane CLI to access GeoDB Cities data; its requirements and instructions are coherent with that purpose, with only minor metadata mismatches to note.
- Guidance
- This skill is an instruction-only integration that expects you to install the Membrane CLI and sign in to a Membrane account to use the GeoDB Cities connector. Before installing or using it: (1) confirm you trust the Membrane CLI package (@membranehq/cli) and its npm publisher; (2) be aware the skill requires network access and a Membrane account even though the registry metadata omitted that — you'll be authorizing Membrane to manage connections to GeoDB on your behalf; (3) prefer using the browser-based authentication flow and avoid pasting secrets into chat; (4) review what permissions/connections you create in Membrane (these connections may grant the service access to third-party APIs on your behalf). If you need stronger assurance, verify the Membrane project's source (homepage/repository) and the registry publisher identity before proceeding.
Review Dimensions
- Purpose & Capability
- okName and description (GeoDB Cities integration) match the instructions: all runtime steps are about installing and using the Membrane CLI to connect to the GeoDB Cities connector and run/list actions. The operations the skill describes (connect, list actions, create/run actions) are appropriate for the stated purpose.
- Instruction Scope
- noteSKILL.md only instructs installing the Membrane CLI and using it (login, connect, action list/create/run). It does not request unrelated files, system paths, or secret exfiltration. Note: SKILL.md states 'Requires network access and a valid Membrane account,' but the registry metadata did not declare this requirement — a minor mismatch in metadata vs runtime instructions.
- Install Mechanism
- okThe skill is instruction-only (no install spec). It directs the user to install @membranehq/cli from npm (npm install -g @membranehq/cli@latest). This is a standard public-registry install; no arbitrary URL downloads or archive extraction are instructed by the skill itself.
- Credentials
- noteThe skill declares no required environment variables or secrets. Runtime instructions do require a Membrane account and authentication via the Membrane CLI (interactive or headless authorization flow). The fact that registry metadata does not list the Membrane account requirement is an inconsistency to be aware of, but the credential demands are proportional to the skill's function (auth to Membrane to access GeoDB).
- Persistence & Privilege
- okThe skill is not persistent (always:false) and is user-invocable. It contains no install-time actions or system modifications; autonomous invocation is allowed but is the platform default and not by itself a concern here.