Back to skill
Skillv1.0.3
ClawScan security
Voilanorbert · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 22, 2026, 11:04 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent: it delegates VoilaNorbert access to the Membrane CLI and does not request unrelated credentials or perform suspicious actions.
- Guidance
- This skill is coherent but depends on trusting the Membrane service and its CLI. Before installing: (1) verify the @membranehq/cli npm package publisher and prefer running it with npx if you want to avoid a global install; (2) review Membrane's security and privacy docs because Membrane will store/handle your VoilaNorbert credentials and API access; (3) confirm any authentication URLs are the official Membrane endpoints during login; (4) consider creating a separate account/tenant with limited permissions for integrations and revoke tokens if you stop using the service. If you do not trust Membrane or cannot verify the package/source, do not proceed.
Review Dimensions
- Purpose & Capability
- okThe skill claims to integrate with VoilaNorbert and its instructions consistently use the Membrane CLI to create connections and run actions against VoilaNorbert. No unrelated services or credentials are requested.
- Instruction Scope
- okSKILL.md contains step‑by‑step CLI instructions (install Membrane, login, connect, list actions, run actions). It does not instruct reading arbitrary local files, harvesting environment variables, or posting data to unexpected endpoints. It explicitly recommends letting Membrane manage credentials.
- Install Mechanism
- noteThere is no install spec in the registry; the instructions tell users to install @membranehq/cli via npm (-g). That is a common approach but carries the usual npm package risk (third‑party package trust). The install method is proportionate for the stated purpose.
- Credentials
- noteThe skill requests no environment variables or local secrets. Authentication is performed via Membrane login (browser/authorization URL). This is proportionate, but it means you are delegating VoilaNorbert credentials and access control to Membrane — you should confirm you trust that service.
- Persistence & Privilege
- okThe skill does not request 'always' or other elevated persistence flags and is user-invocable only. As an instruction-only skill it does not modify other skills or system-wide settings.