Kanbanize
ReviewAudited by ClawScan on May 10, 2026.
Overview
This appears to be a disclosed Membrane-based Kanbanize integration, but it requires trusting Membrane authentication/CLI access and can change or delete Kanbanize work items.
Install this only if you are comfortable using Membrane as the intermediary for Kanbanize access. Review authentication permissions, verify the Membrane CLI package source, and ask the agent to confirm before deleting or broadly modifying Kanbanize cards or other shared project data.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the CLI changes the local environment and requires trusting the npm package publisher.
The skill asks the user to install a global CLI from npm using the moving @latest tag. This is central to the Membrane-based integration and user-directed, but it means the runtime code is outside the reviewed skill artifact and may change over time.
npm install -g @membranehq/cli@latest
Install the CLI only from the expected publisher, and consider pinning or reviewing the package version in managed environments.
The connected account may allow the agent to read or modify Kanbanize data within the granted permissions.
The skill relies on Membrane to authenticate and refresh credentials for Kanbanize. This is expected for the integration, but it gives Membrane-mediated access to the connected Kanbanize account.
Membrane handles authentication and credentials refresh automatically
Connect only the intended Kanbanize account/workspace and review the scopes or permissions shown during authentication.
A mistaken or overly broad instruction could change or remove Kanbanize items.
The documented action catalog includes mutating and destructive Kanbanize operations such as creating, updating, commenting on, logging time to, and deleting cards. These operations fit the stated purpose but can affect shared project data.
| Delete Card | delete-card | Delete a card from Kanbanize |
Confirm destructive or bulk changes with the user and prefer listing or previewing target cards before update/delete actions.
If treated too broadly, remote setup text could steer the agent beyond the user's intended Kanbanize task.
The skill describes receiving agent-facing instructions from the Membrane connection flow. This can be useful for setup, but remote response text should not become broader authority over the user's goals.
clientAction.agentInstructions (optional) — instructions for the AI agent on how to proceed programmatically.
Treat returned agentInstructions as setup guidance only, and do not let them override the user's request or safety checks.