Back to skill
Skillv1.0.3
ClawScan security
Open Exchange Rates · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 21, 2026, 9:04 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's instructions and requirements are consistent with its stated purpose (using Membrane to connect to Open Exchange Rates); it asks the user to install and use the Membrane CLI and does not request unrelated secrets or system access.
- Guidance
- This skill is coherent: it uses the Membrane CLI to access Open Exchange Rates and does not ask for unrelated credentials. Before installing or using it, consider: (1) You will need npm/npx and network access even though registry metadata lists no required binaries — install npm if you don't have it. (2) Membrane's servers will store and mediate API credentials and requests for Open Exchange Rates; only proceed if you trust getmembrane.com/@membranehq. (3) Install the CLI from the official @membranehq package on npm and verify the package/website authenticity. (4) Avoid sending sensitive personal data through actions unless you understand how Membrane will store/process it. If you want a purely local integration (no third-party server holding API keys), this skill is not suitable.
Review Dimensions
- Purpose & Capability
- okName/description match the instructions: the SKILL.md consistently instructs the agent/user to use Membrane to integrate with Open Exchange Rates. No unrelated credentials, binaries, or capabilities are requested.
- Instruction Scope
- noteSKILL.md tells the user to install and use the Membrane CLI, run login flows, create connections, discover and run actions. The instructions do not request arbitrary file reads or unrelated environment variables. Note: all API calls are mediated by Membrane (data and credentials will be handled server-side by Membrane), so be aware that requests and any data passed to actions will go through Membrane's service.
- Install Mechanism
- noteThis is an instruction-only skill (no install spec). It instructs the user to install @membranehq/cli from the public npm registry (npm install -g or use npx). That is a normal, moderate-risk install path (public npm package). The registry metadata lists no required binaries, but the SKILL.md expects npm/npx and network access — a small inconsistency to be aware of.
- Credentials
- okThe skill declares no required environment variables or credentials. Authentication is delegated to Membrane via an interactive login. This is proportionate, but implies you must trust Membrane to store and manage Open Exchange Rates credentials on their servers.
- Persistence & Privilege
- okThe skill does not request persistent/always-on privileges (always: false). It does not modify other skills or system-wide settings. Normal autonomous invocation is allowed (disable-model-invocation: false), which is the platform default.