Back to skill
Skillv1.0.1
ClawScan security
Pirate Weather · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 22, 2026, 10:50 PM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's requirements and instructions align with its stated Pirate Weather integration purpose; it is an instruction-only Membrane CLI integration and does not request unrelated credentials or system access.
- Guidance
- This skill is coherent: it uses the Membrane CLI to connect to Pirate Weather and does not ask for unrelated secrets. Before installing, verify you trust Membrane/@membranehq on npm and the homepage/repository (getmembrane.com and the GitHub repo referenced) because the skill recommends installing a global npm CLI. If you prefer not to install globally, use npx as shown. Be aware the login flow is interactive (browser/code) and grants Membrane-managed access to Pirate Weather on your behalf — review Membrane's privacy/permission model. If you want to prevent autonomous agent actions, restrict the skill or require explicit user approval before running CLI commands.
Review Dimensions
- Purpose & Capability
- okThe name/description (Pirate Weather integration) match the SKILL.md: all runtime instructions use the Membrane CLI to connect to Pirate Weather. There are no unrelated required env vars, binaries, or config paths listed.
- Instruction Scope
- noteThe instructions tell the agent/user to install and use the @membranehq/cli, run `membrane login`, create a connection, list/search actions, and run actions. These steps are scoped to integrating with Pirate Weather and do not instruct reading unrelated files or exfiltrating secrets. Note: several commands are interactive (browser-based login) or produce authorization codes; the skill assumes network access and a Membrane account.
- Install Mechanism
- noteThis is instruction-only (no automated install spec). It recommends `npm install -g @membranehq/cli@latest` and uses `npx` in examples. Using npm packages from the public registry is common but has moderate risk if users blindly install packages; installation is user-initiated, not automatic.
- Credentials
- okThe skill declares no required environment variables or credentials. It explicitly recommends using Membrane's connection/auth instead of asking for API keys, which is proportionate for a connector-style integration.
- Persistence & Privilege
- okalways is false and the skill does not request persistent system-wide privileges or modify other skills. The skill can be invoked autonomously (platform default), but nothing in the skill requests elevated or persistent presence.