Back to skill
Skillv1.0.3
ClawScan security
Launchdarkly · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 21, 2026, 3:04 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's instructions, dependencies, and scope are consistent with a LaunchDarkly integration implemented via the Membrane CLI; nothing requested is disproportionate to that purpose.
- Guidance
- This skill is an instruction-only wrapper that uses the Membrane CLI to manage LaunchDarkly objects. Before installing or following its instructions: (1) verify you trust the @membranehq npm package and its publisher (global npm installs run third‑party code on your machine); (2) ensure you are comfortable granting Membrane a connection to your LaunchDarkly account (the skill relies on Membrane to hold credentials server-side); (3) don't paste LaunchDarkly API keys into chat — create the connection via the CLI as instructed; (4) understand the agent can run Membrane actions (which may list or modify LaunchDarkly data) so grant access only if you want the agent to be able to perform those operations. Overall the skill's requests align with its stated purpose.
Review Dimensions
- Purpose & Capability
- okThe skill declares a LaunchDarkly integration and all runtime instructions use the Membrane CLI and Membrane connections to interact with LaunchDarkly. Requesting use of the Membrane CLI and a Membrane account is proportionate to the stated purpose.
- Instruction Scope
- okSKILL.md only instructs installing and using the Membrane CLI (login, connect, action list/create/run) and references LaunchDarkly docs. It does not ask the agent to read unrelated files, access unrelated environment variables, or exfiltrate data to unexpected endpoints.
- Install Mechanism
- noteThere is no automated install spec in the skill (instruction-only). It recommends installing @membranehq/cli via 'npm install -g'. This is a reasonable, expected step but it relies on a third‑party npm package — users should vet the package and its publisher before installing globally.
- Credentials
- okThe skill declares no required environment variables or credentials and explicitly delegates auth to Membrane, which is appropriate. It does not request unrelated secrets or config paths.
- Persistence & Privilege
- okThe skill is not always-enabled and does not request elevated persistence or modification of other skills or system-wide agent settings. Default autonomous invocation is allowed but not combined with other concerning privileges.