Nango
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: nango Version: 1.0.0 The skill bundle provides standard instructions and documentation for an AI agent to interact with the Nango integration platform using the Membrane CLI. It focuses on legitimate operations such as connection management, action discovery, and API proxying through the 'membrane' command-line tool, with no evidence of malicious intent, data exfiltration, or prompt injection (SKILL.md).
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used carelessly, the agent could modify or delete Nango connections, users, groups, or related account data.
This gives the agent a broad authenticated API escape hatch, including destructive methods, without documenting approval requirements, endpoint limits, or safeguards.
When the available actions don't cover your use case, you can send requests directly to the Nango API through Membrane's proxy... `-X, --method` | HTTP method (GET, POST, PUT, PATCH, DELETE).
Require explicit user confirmation for mutating requests, prefer scoped Membrane actions, and document allowed endpoints and rollback expectations.
The agent may be able to act with the permissions of the connected Membrane/Nango account.
The skill uses delegated Membrane/Nango account authentication. This is purpose-aligned, but it grants ongoing authenticated access through Membrane.
Membrane handles authentication and credentials refresh automatically... `membrane login --tenant`
Use a least-privileged account or tenant, verify which connection is selected, and revoke unused connections when finished.
Users must trust the external npm package and whichever version is installed or fetched at runtime.
The skill depends on an external CLI package installed globally or run via @latest, while no package code is included in the reviewed artifact set.
`npm install -g @membranehq/cli` ... `npx @membranehq/cli@latest action list --intent=QUERY --connectionId=CONNECTION_ID --json`
Install from the official package source, consider pinning a known version, and avoid running the CLI from untrusted environments.