Nocodb
ReviewAudited by ClawScan on May 10, 2026.
Overview
This NocoDB integration is purpose-aligned, but it gives the agent broad ability to run and proxy NocoDB API actions, including mutations, without clear approval boundaries in the provided instructions.
Before installing, confirm you trust Membrane and the npm CLI package, use the least-privilege NocoDB connection possible, and require the agent to ask before modifying users, roles, projects, records, or making DELETE/PATCH/PUT/POST proxy requests.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent misinterprets a request or acts too broadly, it could change or delete NocoDB data, projects, users, or roles.
The skill exposes broad direct API access, including mutating and deleting operations, for a system that manages projects, users, roles, and data. The provided instructions do not clearly require confirmation or scope limits before high-impact changes.
When the available actions don't cover your use case, you can send requests directly to the Nocodb API through Membrane's proxy... HTTP method (GET, POST, PUT, PATCH, DELETE).
Require explicit user confirmation for POST, PUT, PATCH, DELETE, user/role changes, and bulk operations; prefer scoped Membrane actions over raw proxy requests where possible.
Using the skill means authorizing Membrane/CLI access to your NocoDB environment.
The skill requires delegated authentication through Membrane and uses refreshed credentials to access NocoDB. This is expected for the integration, but it is sensitive account access.
Membrane handles authentication and credentials refresh automatically
Use a least-privilege NocoDB account or connection, review granted scopes, and revoke the connection when it is no longer needed.
A future or compromised npm package version could affect what code runs locally.
The skill asks users to install a global npm CLI package using the moving @latest tag. This is central to the stated purpose, but it means the installed code may change over time.
npm install -g @membranehq/cli@latest
Install from the official npm package, consider pinning a reviewed CLI version, and avoid running the CLI with unnecessary local or account privileges.
Requests and responses involving NocoDB data may pass through Membrane infrastructure.
NocoDB API traffic and authentication are mediated through Membrane. This is disclosed and purpose-aligned, but it is an external gateway/data-boundary users should understand.
send requests directly to the Nocodb API through Membrane's proxy... injects the correct authentication headers
Review Membrane's privacy/security posture and avoid sending unnecessary sensitive NocoDB data through proxy requests.