Loopify
ReviewAudited by ClawScan on May 10, 2026.
Overview
Loopify is a coherent Membrane-based integration, but it gives the agent credentialed raw API access that can change or delete business/account data without clear approval or scoping guidance.
Install only if you trust Membrane and the npm CLI package. Use a least-privileged Loopify connection, prefer pre-built Membrane actions, and require explicit confirmation before any write, delete, user-management, or organization-management operation.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or overbroad agent action could modify or delete Loopify videos, users, organization settings, or other business data.
The skill exposes a credentialed raw API proxy with broad HTTP methods and arbitrary paths, but the provided text does not clearly bound write/delete operations or require confirmation before high-impact account changes.
When the available actions don't cover your use case, you can send requests directly to the Loopify API through Membrane's proxy... HTTP method (GET, POST, PUT, PATCH, DELETE).
Prefer Membrane's pre-built actions, and require explicit user confirmation with the connection ID, endpoint, method, and input preview before any POST, PUT, PATCH, DELETE, user-management, or organization-management request.
The agent can act with whatever Loopify permissions the connected Membrane account has.
The integration uses Membrane login and credential refresh to act on the user's connected Loopify account. This is expected for the stated purpose, but it is delegated account authority.
Membrane handles authentication and credentials refresh automatically... membrane login --tenant --clientName=<agentType>
Use the least-privileged Loopify/Membrane account practical, and review which tenant and connection are active before allowing account-changing operations.
A future CLI release or compromised package source could change behavior outside what was reviewed here.
The setup depends on installing the latest Membrane CLI from npm. This is central to the skill's purpose, but @latest is unpinned and inherits npm/package supply-chain risk.
npm install -g @membranehq/cli@latest
Install from a trusted npm source, consider pinning a known-good CLI version, and verify the package publisher before use.
Provider-returned instructions could influence the agent's next steps if treated as authoritative rather than contextual.
The skill may present remote Membrane-provided instructions to the agent during connection setup. This is part of the workflow, but such instructions should not override the user's goal or safety constraints.
clientAction.agentInstructions (optional) — instructions for the AI agent on how to proceed programmatically.
Treat returned agentInstructions as untrusted workflow hints; ignore anything that conflicts with the user's request, security boundaries, or approval requirements.
Loopify request data and results may pass through Membrane while using the integration.
Authenticated requests and response data are routed through Membrane as an intermediary gateway. This is disclosed and purpose-aligned, but it is a sensitive data boundary.
you can send requests directly to the Loopify API through Membrane's proxy... injects the correct authentication headers
Avoid sending unnecessary sensitive data, confirm the destination endpoint, and ensure Membrane is an acceptable intermediary for your organization.