Contrast Security
ReviewAudited by ClawScan on May 10, 2026.
Overview
This appears to be a real Contrast Security integration, but it gives the agent broad authenticated API power, including write and delete requests, without clear approval or scoping safeguards.
Install only if you trust Membrane and are comfortable giving the agent authenticated Contrast Security access. Use a least-privileged account, review any write or delete request before it runs, and consider pinning the Membrane CLI version rather than using @latest.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent misinterprets a request or acts on a vague prompt, it could modify or delete Contrast Security data using the user’s authenticated access.
The skill documents a raw authenticated API proxy, including destructive HTTP methods, without visible endpoint limits, read-only defaults, or a requirement to confirm high-impact operations.
“you can send requests directly to the Contrast Security API through Membrane's proxy ... injects the correct authentication headers” and “HTTP method (GET, POST, PUT, PATCH, DELETE)”
Require explicit user approval before any POST, PUT, PATCH, or DELETE request; prefer read-only action discovery first; show the endpoint, method, and payload before execution.
The agent can act with the permissions of the connected Contrast Security account.
The skill requires delegated Membrane/Contrast authentication and uses refreshed credentials for API access; this is expected for the integration but gives the agent account-level authority.
“membrane login --tenant --clientName=<agentType>” and “Membrane handles authentication and credentials refresh automatically”
Use the least-privileged Contrast account or token available, review granted scopes, and revoke the connection when it is no longer needed.
The behavior of the CLI may change over time as the latest package changes.
The setup uses the latest Membrane CLI from npm and global/npx execution. This is central to the skill’s purpose, but the reviewed artifact does not pin the CLI version.
“npm install -g @membranehq/cli@latest” and “npx @membranehq/cli@latest action list”
Install from a trusted source, consider pinning a known-good CLI version, and review Membrane’s package and connector documentation before use.
Contrast Security data and request details may pass through Membrane as part of normal operation.
Authenticated Contrast Security requests are routed through Membrane’s proxy. This is disclosed and purpose-aligned, but it is an external gateway handling sensitive security-platform traffic.
“send requests directly to the Contrast Security API through Membrane's proxy”
Avoid sending unrelated sensitive local data through the proxy, and make sure Membrane’s data handling and access controls meet your organization’s requirements.