Back to skill
Skillv1.0.3
ClawScan security
Wix · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 21, 2026, 2:03 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requests and instructions are consistent with a Membrane-based WIX integration: it only asks you to install and use the Membrane CLI and to create an OAuth connection to WIX, and it does not request unrelated credentials or file access.
- Guidance
- This skill appears coherent for a Wix integration that uses the Membrane service. Before installing: 1) Verify the @membranehq/cli package and its maintainers (review the npm page and GitHub repository) because global npm installs can run install scripts. 2) Understand the OAuth flow: you'll open a browser to authorize Membrane to access your Wix store—check what scopes/permissions are requested. 3) Prefer creating a dedicated Membrane connection with least privilege rather than reusing broad admin credentials. 4) If you cannot or do not want to install a global CLI, consider whether you can run Membrane commands in a controlled environment. 5) If you need higher assurance, ask the publisher for the exact npm package version and source checksums or review the repository referenced in SKILL.md. Installing and using this skill is reasonable if you trust Membrane/@membranehq and the described OAuth flow.
Review Dimensions
- Purpose & Capability
- okName/description (WIX eCommerce integration) match the instructions: all runtime actions are performed via the Membrane CLI and creating a Wix connection. No unrelated services, credentials, or binaries are requested.
- Instruction Scope
- okSKILL.md instructs installing and using the Membrane CLI, performing login and connection creation, discovering and running actions. It does not ask the agent to read arbitrary files, access unrelated environment variables, or exfiltrate data to unexpected endpoints.
- Install Mechanism
- noteInstallation is a single npm global package (npm install -g @membranehq/cli@latest). This is proportionate to the described CLI-based workflow but carries the usual risk of installing a third-party global npm package (review package reputation/source before installing).
- Credentials
- okNo environment variables or local config paths are required. Auth is handled via Membrane's OAuth flow as described, which is appropriate for the stated purpose.
- Persistence & Privilege
- okThe skill is instruction-only, has no always:true flag, and does not request persistent system-wide privileges beyond optionally installing a CLI tool at the user's discretion.