Skillv1.0.5

ClawScan security

Google Sheets · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 28, 2026, 9:11 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions, install steps, and requirements are consistent with a Google Sheets integration that uses the third‑party Membrane service as a proxy; nothing requested is disproportionate to that purpose, but it does route data through Membrane and requires you to trust that service.
Guidance: This skill appears coherent: it uses the Membrane CLI to proxy Google Sheets actions. Before installing or using it, consider: - You will need a Membrane account and to install @membranehq/cli from npm; verify the npm package and upstream repo (check package publisher, download counts, repo code) if you need higher assurance. - Spreadsheet content and API calls are routed through Membrane's service (getmembrane.com) — review their privacy/security policy and trust model before sending sensitive data. - Authentication happens via the CLI browser flow (or headless code), so be prepared to complete OAuth in-browser and be mindful where OAuth tokens are stored locally by the CLI. - The CLI runs on your machine (npm -g / npx), so follow usual npm security practices (avoid running unknown install scripts, check versions). - If you need stronger guarantees, consider using an integration that talks directly to Google APIs (and manages credentials locally) or self-hosting an equivalent connector. If you want more confidence, provide the package's npm URL and actual repository code for a deeper review.

Review Dimensions

Purpose & Capability: okThe skill is explicitly a Google Sheets integration that uses the Membrane CLI and Membrane connections to access Sheets. The declared requirements (network + Membrane account) match the described functionality; no unexplained credentials or unrelated binaries are requested.
Instruction Scope: noteSKILL.md instructs installing and using the @membranehq/cli, logging in (interactive or headless flow), creating/ensuring a Membrane connection, searching actions, running actions, and proxying direct Google Sheets API requests through Membrane. This stays within the stated purpose, but it implies spreadsheet contents and API requests will be routed through Membrane (a third party) — the user should be aware that data will transit that service.
Install Mechanism: okInstallation is a public npm package (@membranehq/cli) with a simple npm -g or npx invocation — standard practice for CLI tools. No obscure download URLs or archive extraction are used in the instructions.
Credentials: noteThe skill declares no required environment variables or credentials; authentication is handled interactively by the Membrane CLI. This is proportionate, but it means credentials and OAuth tokens will be stored/managed by the Membrane CLI/service rather than in env vars — users should understand where those tokens are stored and that Membrane will have access to the proxied data.
Persistence & Privilege: okThe skill is instruction-only (no install spec or code files included in the skill bundle) and not always-enabled. It does not request elevated persistence or system-wide configuration changes. Autonomous invocation is allowed (platform default) but not combined with any other unusual privileges.