Gloww
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may believe they are installing one kind of Gloww integration while the instructions steer the agent toward different account resources or actions.
The stated purpose, product description, resource model, and highlighted actions do not match each other, making it unclear what service or account data the user is actually authorizing.
description: | Gloww integration. Manage Organizations, Pipelines, Users, Filters, Files, Notes. ... Gloww is a social media platform designed for beauty and wellness enthusiasts. ... | List Sessions and Templates | list-sessions-and-templates | | Create Live Session | create-live-session |
Clarify the actual Gloww product, official API, supported resources, and intended actions before installing or using it.
If used incorrectly, the agent could modify or delete data in the connected Gloww account through authenticated API calls.
The skill enables arbitrary authenticated API proxy requests, including mutating and deleting methods, without limiting endpoints or requiring explicit confirmation for high-impact changes.
When the available actions don't cover your use case, you can send requests directly to the Gloww API through Membrane's proxy... injects the correct authentication headers... HTTP method (GET, POST, PUT, PATCH, DELETE)
Use only read-only actions until the provider, endpoint, and effect are verified; require explicit user approval before POST, PUT, PATCH, or DELETE requests.
The connected account may remain usable by the Membrane CLI after setup until the connection is revoked.
The skill uses delegated Membrane/Gloww authentication and automatic credential refresh. This is expected for the integration, but it creates account authority the user should intentionally grant.
membrane login --tenant ... membrane connect --connectorId=CONNECTOR_ID --json ... Membrane handles authentication and credentials refresh automatically
Connect only the intended Gloww account, review granted scopes if shown during OAuth, and revoke the connection when it is no longer needed.
Installing the CLI changes the local environment and relies on the npm package source being trustworthy.
The skill asks the user to install a global npm CLI package. This is central to the Membrane workflow, but it is a local supply-chain dependency outside the instruction-only skill itself.
npm install -g @membranehq/cli
Install the CLI only from the official package source and keep it updated; avoid running unexpected commands beyond the documented Membrane workflow.