clari Security Report — Low Risk | ClawSafe

10 /100

clari

Clari integration for revenue operations data management and workflow automation

Legitimate Clari integration skill that uses the Membrane CLI for API interactions; all shell commands are documented and necessary for the documented functionality.

Skill Nameclari

Duration32.7s

Enginepi

✓

Safe to install

Skill is safe to use. Monitor for any changes to the Membrane CLI package or unexpected network behavior.

Findings 2 items

Severity	Finding	Location
Low	Global npm package installation The skill instructs users to install @membranehq/cli globally via npm. While this is standard practice for CLI tools, global installs modify system state. `npm install -g @membranehq/cli` → Consider documenting this as a required permission in the skill metadata for transparency.	`SKILL.md:25`
Info	External URL references The SKILL.md references external URLs (getmembrane.com, developers.clari.com). These are documentation links and do not pose direct security risks. `https://getmembrane.com, https://developers.clari.com/` → No action needed; standard external documentation references.	`SKILL.md`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`READ`	✓ Aligned	SKILL.md only - documentation reference, no actual file operations
Network	`READ`	`READ`	✓ Aligned	Membrane CLI proxies API calls to Clari; declared in compatibility field
Shell	`WRITE`	`WRITE`	✓ Aligned	npm install -g @membranehq/cli, membrane login/connect/action run commands all d…
Environment	`NONE`	`NONE`	—	No environment variable access declared or observed
Skill Invoke	`NONE`	`NONE`	—	No skill invocation observed
Clipboard	`NONE`	`NONE`	—	No clipboard access observed
Browser	`NONE`	`NONE`	—	Browser used only for OAuth flow in Membrane login, not programmatically accesse…
Database	`NONE`	`NONE`	—	No database access observed

2 findings

🔗

Medium External URL 外部 URL

https://getmembrane.com

SKILL.md:7

🔗

Medium External URL 外部 URL

https://developers.clari.com/

SKILL.md:19

File Tree

1 files · 4.3 KB · 126 lines

Markdown 1f · 126L

└─ 📝 SKILL.md Markdown 126L · 4.3 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`@membranehq/cli`	`latest`	npm	No	Pinned version recommended for production use

Security Positives

✓ All shell commands are explicitly documented in SKILL.md

✓ Credentials are managed server-side by Membrane with no local secrets storage

✓ No credential harvesting or environment variable enumeration observed

✓ No base64 encoding, eval(), or other suspicious code patterns

✓ No hidden instructions in comments or documentation

✓ No direct IP connections or C2 indicators

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)

✓ Membrane acts as a secure proxy, handling auth lifecycle server-side

✓ Standard CLI integration pattern with well-established Membrane tool

Scan Report

Findings 2 items

File Tree

Dependencies 1 items

Security Positives