Mslm Cloud
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is a disclosed Mslm Cloud integration, but it gives the agent broad authenticated API access, including write/delete methods, without clear guardrails.
Use this only if you trust Membrane and intend to grant it access to your Mslm Cloud account. Prefer read-only or least-privileged connections where possible, ask the agent to confirm any write/delete action before it runs, and be cautious with the raw proxy command because it can reach arbitrary authenticated API endpoints.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used incorrectly, the agent could modify or delete Mslm Cloud files, users, links, or other account data through authenticated API calls.
The skill documents a raw authenticated API escape hatch with mutating and deleting methods, but does not bound endpoints, require explicit confirmation for destructive operations, or describe rollback/reversibility.
When the available actions don't cover your use case, you can send requests directly to the Mslm Cloud API through Membrane's proxy... `-X, --method` | HTTP method (GET, POST, PUT, PATCH, DELETE).
Require explicit user approval before POST/PUT/PATCH/DELETE calls, prefer prebuilt Membrane actions, document allowed endpoints, and use least-privileged Mslm Cloud connections.
Actions will run using the permissions of the connected Membrane/Mslm Cloud account.
The skill relies on delegated authentication through Membrane for Mslm Cloud access. This is expected for the integration, but it grants the skill/account authority over the connected Mslm Cloud data.
Membrane handles authentication and credentials refresh automatically... The user completes authentication in the browser.
Connect only the intended account, review granted scopes where available, and revoke the connection when it is no longer needed.
The installed CLI version may change over time, and the user depends on the npm package’s integrity.
The setup uses an npm-distributed CLI and an @latest invocation. This is central to the skill and user-directed, but it is externally sourced and not pinned in the artifact.
`npm install -g @membranehq/cli` ... `npx @membranehq/cli@latest action list`
Install from the official package source, consider pinning a known version, and avoid global installation if local/project-scoped use is sufficient.
Selected Mslm Cloud requests and responses may pass through Membrane infrastructure as part of normal operation.
Mslm Cloud API traffic and authentication are routed through Membrane’s proxy. This data flow is disclosed and purpose-aligned, but users should understand the intermediary’s role.
send requests directly to the Mslm Cloud API through Membrane's proxy... injects the correct authentication headers
Review Membrane’s security and privacy terms before using the integration with sensitive files or organization data.