Self-Integration
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This skill is transparent about using Membrane to control external apps, but it gives the agent very broad authority to create and run actions across connected services.
Install only if you trust Membrane and need a broad cross-app automation skill. Use a limited token, connect only necessary apps, review generated connectors/actions, and require confirmation before the agent sends messages, changes records, syncs data, or performs any bulk or irreversible operation.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent misunderstands the user or is given unsafe instructions, it could send messages, create or modify tasks, sync data, or change records in connected third-party apps.
The skill exposes a generic mechanism to execute arbitrary actions against external services, including mutating operations, without visible guardrails such as explicit confirmation for destructive, public, or bulk actions.
Connect to any external app and perform actions on it... perform any API operation... `POST /actions/{actionId}/run?connectionId=con_abc123`Require explicit user confirmation before any mutating, public, bulk, financial, or irreversible action, and show the target app, connection, action name, and input parameters before running it.
Anyone or any agent flow with access to the token may be able to use existing Membrane connections to act in Slack, HubSpot, Salesforce, GitHub, Google Sheets, or other linked services.
The Membrane token is used to list and operate on authenticated external-app connections. This is expected for the integration, but it can represent broad delegated authority across many accounts.
Authorization: Bearer $MEMBRANE_TOKEN... A connection is an authenticated link to an external app... `GET /connections`
Use the least-privileged Membrane token available, connect only the apps needed for the task, monitor activity, and revoke or rotate the token and app connections when no longer needed.
Generated connectors or actions could have broader behavior than the user expected, especially when they are used to modify third-party accounts.
The skill can ask a remote Membrane agent to dynamically build new connectors or actions. The artifacts do not describe review, provenance, testing, or safety boundaries for generated integrations.
If nothing is found, go to step 1c to build a connector... `POST /agent/sessions` with body `{"prompt": "Build a connector for Slack..."}`Review newly generated connectors/actions before use, prefer existing trusted connectors, and avoid running generated mutating actions until the requested permissions and inputs are clear.
Task details and connection identifiers may be sent to Membrane's agent service while building connectors or actions.
The OpenClaw agent is instructed to communicate with a separate Membrane agent and include connection identifiers in prompts. This is disclosed and purpose-aligned, but the artifact does not specify the remote agent's data-handling boundaries.
Use Membrane Agent. ALWAYS include the connection ID in the prompt: `POST /agent/sessions`...
Avoid putting unnecessary secrets or sensitive business data in connector/action-building prompts, and confirm Membrane's data-retention and access policies before using it with sensitive accounts.