Ifttt
AdvisoryAudited by Static analysis on Apr 2, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An unintended or poorly scoped command could change or delete IFTTT data, affect applets that automate other services, or send authenticated requests to an unintended destination.
This gives the agent a raw authenticated API escape hatch with mutating methods and full-URL support, without clear endpoint restrictions or approval requirements.
When the available actions don't cover your use case, you can send requests directly to the IFTTT API through Membrane's proxy... `-X, --method` | HTTP method (GET, POST, PUT, PATCH, DELETE)... You can also pass a full URL instead of a relative path — Membrane will use it as-is.
Use prebuilt Membrane actions where possible, restrict proxy calls to relative IFTTT API paths, and require explicit user confirmation before any POST, PUT, PATCH, or DELETE request.
Once connected, future commands can act through the user's Membrane and IFTTT connection without repeating the full login flow.
The skill uses persistent Membrane credentials and delegated IFTTT access. This is expected for the integration, but it is more sensitive than the registry metadata's 'Primary credential: none' suggests.
After login, credentials are stored in `~/.membrane/credentials.json` and reused for all future commands.
Install only if you trust Membrane and this skill's use of it; review or remove ~/.membrane credentials and revoke the IFTTT connection when no longer needed.
The behavior of the CLI may change as the upstream package changes, and the reviewed artifact set does not include that code.
The skill depends on fetching and running the latest version of an external npm package rather than a pinned, reviewed version. This is central to the stated purpose, but it creates provenance and update-risk considerations.
This skill uses the Membrane CLI (`npx @membranehq/cli@latest`) to interact with IFTTT.
Prefer a pinned CLI version from a trusted source, and verify the Membrane CLI package before using it with account credentials.