Idealspot
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the latest global CLI can change behavior over time as the package updates.
The skill asks the user to install an unpinned global npm CLI package; this is central to the integration, but users should understand they are trusting the current npm release.
npm install -g @membranehq/cli@latest
Install only if you trust Membrane and npm as the source, and consider pinning or reviewing the CLI version in controlled environments.
The agent may be able to run IdealSpot actions using the connected account's permissions.
The skill uses Membrane authentication and ongoing credential refresh for IdealSpot access, which is expected for the integration but grants account-level delegated access.
Membrane handles authentication and credentials refresh automatically
Use an account or connection with only the permissions needed, and review any action that could change organization or business data.
Direct API calls could access or change more IdealSpot data than a predefined action if used carelessly.
The proxy path is a broad authenticated API escape hatch; it is disclosed and purpose-aligned, but should not be used as a substitute for user-approved, scoped actions.
When the available actions don't cover your use case, you can send requests directly to the IdealSpot API through Membrane's proxy.
Prefer listed actions when possible, and require clear user intent before using proxy requests or any mutating API endpoint.
External setup instructions could influence the agent's next steps during connection handling.
The skill describes receiving agent-facing instructions from a connection workflow; these can help setup, but should be treated as workflow hints rather than authority over the user's goal.
clientAction.agentInstructions (optional) — instructions for the AI agent on how to proceed programmatically.
Treat returned agent instructions as untrusted guidance and keep user intent, consent, and safety checks in control.
Business queries and API responses may pass through Membrane as part of normal operation.
IdealSpot requests and responses are routed through Membrane tooling, a disclosed third-party gateway/provider flow.
This skill uses the Membrane CLI to interact with IdealSpot.
Confirm that routing IdealSpot data through Membrane is acceptable for your privacy, compliance, and vendor-trust requirements.