Mocean Api
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is a coherent Mocean API integration, but it gives the agent broad authenticated API request capability without clear safeguards for write, delete, SMS, or voice actions.
Before installing or using this skill, make sure you trust Membrane and the Mocean account connection. Use it only for specific Mocean tasks, review any SMS, voice, user, organization, or filter changes before they are made, and be especially cautious with raw proxy requests or any POST, PUT, PATCH, or DELETE operation.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill could make authenticated Mocean API changes, including actions that may affect account data, send communications, or incur service costs, if prompted or if it misinterprets a task.
This gives the agent a broad authenticated escape-hatch for arbitrary Mocean API requests, including mutating and deleting operations, without artifact guidance requiring user confirmation or scoping.
When the available actions don't cover your use case, you can send requests directly to the Mocean API API through Membrane's proxy... injects the correct authentication headers... `-X, --method` | HTTP method (GET, POST, PUT, PATCH, DELETE).
Use only for clearly requested Mocean tasks, prefer discovered scoped actions over raw proxy requests, and require explicit user confirmation before sending SMS/voice messages or performing POST, PUT, PATCH, or DELETE requests.
The skill can operate through a logged-in Membrane/Mocean connection with the permissions granted during authentication.
The skill requires delegated account authentication and automatic credential refresh. This is expected for an API integration, but it is sensitive authority that users should notice.
Membrane handles authentication and credentials refresh automatically... `membrane login --tenant --clientName=<agentType>`
Authenticate only with the intended account, review the scopes/permissions granted, and revoke the connection if it is no longer needed.
Installing the latest global CLI means the code run on the machine may change over time and was not included in this skill artifact review.
The skill instructs a global install of the Membrane CLI using the latest npm version. This is disclosed and purpose-aligned, but it is not pinned to a reviewed version.
npm install -g @membranehq/cli@latest
Install the CLI from the official package source, consider pinning a known version, and keep it updated through normal trusted package-management practices.