Goto Webinar
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This is a disclosed GoTo Webinar integration, but it gives broad authenticated ability to run destructive GoTo actions or raw API requests without documented approval or scope limits.
Install only if you are comfortable granting Membrane access to your GoTo Webinar account. Before using it, set a rule that the agent must ask for confirmation before canceling webinars, deleting people, or making raw POST/PUT/PATCH/DELETE API requests, and revoke the connection when you no longer need it.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent could change or delete webinar data through the user's connected account if it uses this proxy incorrectly.
The skill exposes an authenticated raw API proxy capable of mutating or deleting GoTo Webinar resources, but does not document confirmation requirements, allowed endpoints, or rollback boundaries.
`membrane request CONNECTION_ID /path/to/endpoint` ... `-X, --method` | HTTP method (GET, POST, PUT, PATCH, DELETE).
Require explicit user approval for POST, PUT, PATCH, DELETE, cancellation, and deletion actions; prefer prebuilt actions; and limit requests to the specific webinar or organizer IDs requested by the user.
A mistaken or over-eager action could cancel an event or remove people from a webinar.
The popular actions include destructive business-event operations, but the skill does not instruct the agent to confirm with the user before running them.
`Delete Registrant` ... `Remove a registrant from a webinar` ... `Cancel Webinar` ... `Cancel a webinar`
Add explicit guardrails requiring user confirmation and a preview of the exact webinar, registrant, panelist, or co-organizer before any destructive operation.
Membrane will hold or refresh access to the connected GoTo Webinar account, enabling future actions through that connection.
The skill requires the user to authenticate through Membrane and authorize a GoTo Webinar connection. Delegated account access is expected for this integration, but it is sensitive and not reflected in the registry credential fields.
`membrane login --tenant` ... `membrane connect --connectorId=CONNECTOR_ID --json` ... `Membrane handles authentication and credentials refresh automatically`
Use an account with the minimum needed permissions, review what the connection can access, and revoke the Membrane connection when finished.
The installed CLI becomes part of the local environment and will be trusted to handle account login and API requests.
The skill asks the user to install an unpinned global npm CLI package. This is purpose-aligned setup, but it depends on the npm package provenance and current published version.
`npm install -g @membranehq/cli`
Install only from the official npm package, consider pinning or verifying the CLI version, and avoid running the setup on highly sensitive systems unless needed.