Contentgroove
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is a coherent ContentGroove integration, but it gives the agent broad authenticated CLI/API control, including write and delete methods, without clear approval or scoping guidance.
Before installing, make sure you trust Membrane and the npm CLI package. Connect a least-privilege ContentGroove account, prefer scoped listed actions, and require explicit confirmation before any upload, create, update, delete, webhook, or raw proxy request.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used incorrectly, the agent could modify or delete ContentGroove resources, webhooks, uploads, or other account data through an authenticated connection.
This documents a broad authenticated API escape hatch, including mutating and delete methods, without visible guardrails requiring explicit user approval, endpoint scoping, or reversibility checks.
When the available actions don't cover your use case, you can send requests directly to the ContentGroove API through Membrane's proxy... HTTP method (GET, POST, PUT, PATCH, DELETE).
Use read-only actions by default, prefer listed scoped actions over raw proxy requests, and require explicit user confirmation for POST, PUT, PATCH, DELETE, upload, or webhook changes.
The agent may be able to access or act on ContentGroove data according to the permissions of the Membrane/ContentGroove connection.
The skill relies on delegated account authentication and automatic credential refresh, which is expected for a ContentGroove integration but gives the agent access through the user's connected account.
Membrane handles authentication and credentials refresh automatically... membrane login --tenant
Connect only an account with the minimum permissions needed, review existing connections, and revoke the connection when it is no longer needed.
Installing the CLI adds a local executable dependency whose behavior depends on the npm package and version installed.
The skill asks the user to install a global external npm package. This is central to the stated purpose, but it is unpinned and not captured by an install specification.
npm install -g @membranehq/cli
Install the CLI only from the trusted package source, consider pinning or verifying the version, and avoid running it in sensitive environments unless needed.