Commcare
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is a mostly coherent CommCare/Membrane integration, but it gives the agent broad authority over potentially sensitive CommCare data and administrative resources without clear action limits or approval guidance.
Use this skill only with a CommCare account whose permissions match the intended task. Treat exports, imports, migrations, project transfers, user/role changes, SMS actions, subscriptions, and project settings as high-impact operations that should require explicit confirmation before execution.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill could make broad changes or exports in a CommCare project if a user request is ambiguous or if the agent chooses an overly powerful action.
The skill exposes broad CommCare operations, including administrative, bulk, import/export, and transfer-related resources, but the visible instructions do not add clear limits, confirmation requirements, or reversibility guidance for high-impact actions.
Manage data, records, and automate workflows... Project Transfer... Subscription... Bulk Export... Data Export... Bulk Migration... User Role... Use action names and parameters as needed.
Before installation or use, require explicit user confirmation for create/update/delete, import/export, migration, transfer, user/role, subscription, SMS, and project-setting actions; prefer read-only actions unless the user clearly asks for a change.
The connected account's permissions determine what the agent can view or change in CommCare.
The skill requires delegated Membrane and CommCare account access. This is expected for the integration, but it grants ongoing account authority through Membrane-managed authentication.
Membrane handles authentication and credentials refresh automatically... membrane login --tenant... membrane connect --connectorId=CONNECTOR_ID --json
Use the least-privileged Membrane/CommCare account or connection available, and review/revoke the connection when it is no longer needed.
Installing a global CLI adds executable code to the local environment and depends on the npm package's integrity.
The skill asks for a global npm CLI installation. This is central to the stated purpose and user-directed, but it is not pinned to a version and there is no install spec in the registry metadata.
Install the Membrane CLI so you can run `membrane` from the terminal: ```bash npm install -g @membranehq/cli ```
Install the CLI from the official package source, consider pinning or reviewing the package version, and avoid running global installs with unnecessary elevated privileges.