Dronedeploy
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a legitimate DroneDeploy integration, but it gives the agent broad authenticated API access, including possible update/delete calls, without clear scope or confirmation safeguards.
Install only if you are comfortable granting Membrane/DroneDeploy access to an agent. Confirm any action that creates, updates, deletes, or changes billing/account settings, and prefer narrowly scoped actions over raw API proxy requests.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill could make broad authenticated changes to DroneDeploy resources if it selects the wrong action or API request.
The skill documents an authenticated raw API escape hatch that can perform write and delete operations, but the artifact does not define confirmation, endpoint, or reversibility safeguards.
When the available actions don't cover your use case, you can send requests directly to the DroneDeploy API through Membrane's proxy... `-X, --method` | HTTP method (GET, POST, PUT, PATCH, DELETE).
Require explicit user confirmation for POST, PUT, PATCH, and DELETE requests, prefer scoped discovered actions over raw proxy calls, and document allowed endpoint boundaries.
The agent may act through the user's DroneDeploy connection until that access is revoked or expires.
The integration uses delegated DroneDeploy authentication through Membrane and automatic credential refresh, which is expected for the purpose but grants ongoing account access.
Membrane handles authentication and credentials refresh automatically... `membrane connection ensure "https://dronedeploy.com" --json`
Use the least-privileged DroneDeploy/Membrane account available and revoke the connection when the integration is no longer needed.
The behavior of the installed CLI may differ from what was reviewed if the npm package changes.
The setup installs the latest global CLI from npm rather than a pinned reviewed version. This is user-directed and central to the skill, but it shifts trust to the current npm package.
npm install -g @membranehq/cli@latest
Install the CLI from a trusted source, consider pinning a known version, and avoid running setup commands automatically.