ClawHub

Spacelift

v1.0.0

Spacelift integration. Manage data, records, and automate workflows. Use when the user wants to interact with Spacelift data.

0· 28·0 current·0 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description say 'Spacelift integration' and the SKILL.md exclusively documents using the Membrane CLI to connect to Spacelift, discover actions, run actions, and proxy API requests. Nothing requested (no env vars, no unrelated binaries) contradicts the stated purpose.
Instruction Scope
Instructions focus on installing and using the Membrane CLI, authenticating via a browser flow, listing and running actions, and proxying requests to Spacelift through Membrane. This stays within the integration scope, but the proxy behavior means user data and API requests will be routed through Membrane's service — a privacy/trust consideration. SKILL.md does not instruct reading unrelated local files or environment variables.
Install Mechanism
The SKILL.md instructs installing @membranehq/cli via npm (-g). This is a public npm package install (moderate risk compared to no install): npm installs can execute lifecycle scripts and write to disk. The registry metadata has no install spec (instruction-only), so the install would be performed by the user/agent environment, not the skill bundle itself.
Credentials
No environment variables, credentials, or config paths are declared or required by the registry metadata. The SKILL.md requires a Membrane account (browser login) but does not request unrelated secrets or multiple unrelated credentials—access needs appear proportionate to the stated purpose.
Persistence & Privilege
No elevated persistence requested. always is false and the skill does not request system-level configuration changes. Default autonomous invocation is allowed (platform default) but not combined with other red flags here.
Assessment
This skill appears coherent: it uses the Membrane CLI to talk to Spacelift and doesn't ask for unrelated secrets. Before installing, consider: (1) Trust: Membrane will proxy your Spacelift API requests and hold auth tokens — confirm you trust getmembrane.com and the @membranehq CLI package. (2) Supply-chain: npm -g installs can run code during install; prefer reviewing the package source or using a pinned, audited version. (3) Privacy: any data you send to Spacelift via the CLI/proxy will also transit Membrane. (4) Environments: headless or CI use requires following their headless login steps — avoid pasting credentials into unknown contexts. If you need higher assurance, ask the skill author for the full, untruncated SKILL.md, the repository/commit hash for the CLI and skill examples, and any privacy/retention docs from Membrane.

Like a lobster shell, security has layers — review code before you run it.

latestvk978sajhv335zzcrq5kndn445d8493qb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments