Mercado Libre
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill could make authenticated changes to Mercado Libre data, including potentially modifying or deleting marketplace records, if the wrong endpoint or input is used.
The skill documents an authenticated raw API escape hatch with mutating and delete methods, but the provided instructions do not clearly require user confirmation, resource limits, or safer scoped actions before using it.
send requests directly to the Mercado Libre API through Membrane's proxy ... HTTP method (GET, POST, PUT, PATCH, DELETE)
Use this only with explicit user approval for the exact endpoint, method, and request body; prefer discovered Membrane actions over raw proxy calls, especially for writes or deletes.
Authorizing the connection may allow Membrane-powered actions to access or change data in the user's Mercado Libre account.
The skill requires delegated account authentication and ongoing credential refresh through Membrane, which is expected for Mercado Libre integration but sensitive.
Membrane handles authentication and credentials refresh automatically ... The user completes authentication in the browser.
Authorize only the Mercado Libre account and permissions needed, and revoke the Membrane connection when it is no longer required.
The actual behavior may depend on Membrane's current CLI package and remote connector generation rather than code bundled with the skill.
The skill relies on an external latest-version CLI and possibly an automatically built connector whose implementation is not present in the reviewed artifact.
npm install -g @membranehq/cli@latest ... If no app is found, one is created and a connector is built automatically.
Install the CLI from a trusted source, consider pinning a known version, and review Membrane connection details before granting marketplace access.
Request contents and account-mediated operations may pass through Membrane while interacting with Mercado Libre.
Mercado Libre API calls and request data are routed through Membrane as an authenticated proxy, which is disclosed and purpose-aligned but creates a third-party data boundary.
send requests directly to the Mercado Libre API through Membrane's proxy ... injects the correct authentication headers
Avoid sending unrelated sensitive data through proxy requests, and verify that Membrane is an acceptable intermediary for the account and data involved.