Back to skill
Skillv1.0.3
ClawScan security
Jobnimbus · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 21, 2026, 2:02 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent: it wraps JobNimbus via the Membrane CLI (interactive auth), asks for no unrelated credentials, and contains only usage instructions rather than code.
- Guidance
- This skill delegates auth and API access to the Membrane CLI rather than embedding credentials in the skill. Before installing: (1) confirm you trust the @membranehq CLI (check the npm package page and GitHub repo), (2) be aware `npm install -g` modifies your system/global node modules and may require admin rights, (3) the CLI will open a browser or provide an auth URL — completing login grants Membrane access to your JobNimbus data and stores tokens locally, so review Membrane's access and privacy policies, and (4) if you cannot or do not want to install global CLI tools, don't install this skill. No code files or secret-exfiltration patterns were present, but absence of code does not guarantee safety—verify the upstream Membrane project before proceeding.
Review Dimensions
- Purpose & Capability
- okThe skill's name/description (Jobnimbus integration) match the instructions: it tells the agent to use the Membrane CLI to interact with JobNimbus. The only minor mismatch is that the registry metadata declares no required binaries, yet the SKILL.md instructs installing an npm CLI (@membranehq/cli). This is an implementation detail, not a functional mismatch.
- Instruction Scope
- okSKILL.md stays on-task: it describes installing and using the Membrane CLI, authenticating, creating a JobNimbus connection, and listing/finding actions. It does not instruct reading unrelated system files, environment variables, or exfiltrating data to unexpected endpoints.
- Install Mechanism
- noteNo install spec was provided in the registry, but the instructions tell users to run `npm install -g @membranehq/cli@latest`. Installing a global npm package is a common, moderate-risk mechanism; the package uses a known namespace (@membranehq) and points to a GitHub repo/homepage. Verify the npm package identity and trust the publisher before installing globally.
- Credentials
- noteThe skill declares no required env vars or primary credential, which is consistent with relying on interactive Membrane CLI authentication. Be aware the Membrane CLI will store credentials/tokens locally after login; those credentials are necessary for the integration but are handled by Membrane rather than declared as env vars in the skill.
- Persistence & Privilege
- okThe skill is instruction-only, has always:false, and does not request elevated or persistent platform privileges. The only persistence is normal CLI credential storage performed by the Membrane tool during authentication.