Lane
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This looks like a legitimate Lane integration, but it gives the agent broad authenticated access to run Lane API requests, including write/delete operations, without clear approval or scope limits.
Install only if you are comfortable granting Membrane access to your Lane workspace. Use a least-privileged account, confirm any create/update/delete action before it runs, prefer built-in discovered actions over raw API proxy calls, and revoke the connection when finished.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill could create, change, or delete Lane project-management data if it chooses the wrong action or endpoint.
The skill documents a broad authenticated API escape hatch, including write and delete methods, without visible endpoint limits or confirmation requirements.
When the available actions don't cover your use case, you can send requests directly to the Lane API through Membrane's proxy... Common options: ... HTTP method (GET, POST, PUT, PATCH, DELETE)
Use this only with explicit user approval for mutating actions, prefer discovered prebuilt actions, and limit Lane/Membrane permissions where possible.
Membrane and the agent workflow may be able to access the Lane account or connection the user authorizes.
The skill requires delegated account access and credential refresh through Membrane, which is expected for a Lane integration but important for users to understand.
This skill uses the Membrane CLI to interact with Lane. Membrane handles authentication and credentials refresh automatically
Authorize only the intended Lane workspace/account, review granted scopes if available, and revoke the Membrane connection when it is no longer needed.
A future CLI release or compromised package distribution could affect what gets installed or run locally.
The setup uses a globally installed npm package pinned to the moving latest tag. This is purpose-aligned, but it means behavior can change as the package updates.
npm install -g @membranehq/cli@latest
Install the CLI from the official source, consider pinning a reviewed version, and avoid running it with unnecessary elevated privileges.
Lane request data and responses may pass through Membrane infrastructure as part of the integration.
Lane API traffic and authenticated requests are routed through Membrane as a provider gateway. This is disclosed and purpose-aligned, but it is a sensitive data boundary.
send requests directly to the Lane API through Membrane's proxy. Membrane automatically appends the base URL... and injects the correct authentication headers
Review Membrane's data handling terms and avoid sending unnecessary sensitive Lane data through proxy requests.