Skillv1.0.3

ClawScan security

Meistertask · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 21, 2026, 3:04 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is an instruction-only integration that delegates all network access and auth to the Membrane CLI; its requirements and instructions are coherent with a MeisterTask integration.
Guidance: This skill is an instruction-only integration that relies on the Membrane CLI and your Membrane account to access MeisterTask. Before installing/use: (1) confirm you trust Membrane and review @membranehq/cli on the npm registry (global npm installs run code on your machine); (2) understand that Membrane will mediate access to your MeisterTask data (review Membrane's privacy/security docs and revoke access when done if needed); (3) perform the login flow in a trusted browser and avoid pasting API keys into the agent; (4) consider using a dedicated or least-privilege account for connections. There are no other red flags in the skill instructions or requirements.
Findings: [regex-scan-none] expected: No code files present; the regex-based scanner had nothing to analyze. For instruction-only skills this absence of findings is expected.

Purpose & Capability: okName/description (MeisterTask integration) match the instructions: the SKILL.md describes using Membrane to connect to MeisterTask and run actions. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope: okRuntime instructions are limited to installing and using the Membrane CLI, creating a connection, listing and running actions, and polling for build status. The skill does not instruct reading unrelated files, environment variables, or exfiltrating data to unexpected endpoints; it explicitly advises not to ask users for API keys.
Install Mechanism: noteThe SKILL.md recommends installing @membranehq/cli via npm (global install). This is a standard public-registry install (moderate risk compared to no-install), and is expected for a CLI-based integration. Users should verify the npm package and maintainer before installing, especially for global installs.
Credentials: okThe skill declares no required environment variables, credentials, or config paths. Auth is handled by Membrane via an interactive login flow; requesting no local secrets is proportionate to the stated purpose.
Persistence & Privilege: okalways is false and the skill does not request permanent presence or modify other skills. It relies on an external CLI and the Membrane service to manage connections and tokens.