Summit
v1.0.0Summit integration. Manage Organizations, Pipelines, Users, Goals, Filters. Use when the user wants to interact with Summit data.
⭐ 0· 40·0 current·0 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description (Summit integration) align with the instructions: the SKILL.md tells the agent how to connect to Summit via the Membrane CLI, discover actions, run them, and proxy raw API requests. There are no unrelated required env vars, binaries, or config paths declared.
Instruction Scope
Instructions are narrowly scoped to using the Membrane CLI (npx @membranehq/cli@latest) to authenticate, list actions, run actions, and proxy requests. The skill explicitly writes credentials to ~/.membrane/credentials.json and allows proxying arbitrary URLs through Membrane — both expected for a proxy-based integration but worth noting because proxying arbitrary endpoints or storing tokens on disk can be abused if misused.
Install Mechanism
There is no install spec (instruction-only), which is low-risk in general. However, the runtime instructions use npx to fetch and execute @membranehq/cli@latest on demand. That causes dynamic remote code to be downloaded and run whenever the CLI is invoked (using the unpinned @latest tag increases this dynamism). This is expected for a CLI-driven integration but is a non-trivial runtime risk to be aware of.
Credentials
The skill declares no required environment variables or credentials, which is proportional. It does rely on Membrane-managed credentials and stores them locally at ~/.membrane/credentials.json after login; the instructions do not request unrelated secrets. Users should be aware that auth tokens will be persisted on disk and that Membrane will see proxied requests.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide config. It does create/reuse a credential file in the user's home directory (normal for a CLI integration) but does not request elevated privileges.
Assessment
This skill appears to do what it says: it uses the Membrane CLI to integrate with Summit. Before installing or running it, consider: (1) npx @membranehq/cli@latest will download and execute code from the npm registry each time — prefer pinning to a specific version if you want a reproducible, auditable binary. (2) The CLI stores credentials at ~/.membrane/credentials.json; check file permissions and be comfortable with tokens being persisted locally. (3) Membrane acts as a proxy and will see any proxied requests and their headers/bodies — do not send sensitive secrets or unrelated system data through it unless you trust Membrane. (4) In headless or shared environments, be cautious with the browser-login flow and copy/paste auth codes securely. If you need more assurance, review @membranehq/cli source and the Membrane privacy/security docs or run the CLI in an isolated environment (container or dedicated service account).Like a lobster shell, security has layers — review code before you run it.
latestvk977m2nnvs8tmy36tkygr23nyh845e2h
License
MIT-0
Free to use, modify, and redistribute. No attribution required.