Opengraphio
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a normal Membrane/OpenGraph.io integration, but users should notice that it requires a global CLI install and authenticated Membrane/OpenGraph.io access.
Before installing, confirm you trust the Membrane CLI package and are comfortable authenticating through Membrane. Prefer named OpenGraph.io actions over raw proxy calls, and approve any write/delete API requests explicitly.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the CLI gives that package normal local execution ability during install and when run.
The skill asks the user to install a global CLI package using the moving @latest tag. This is a disclosed, purpose-aligned setup step, but it depends on external npm package provenance and future package changes.
npm install -g @membranehq/cli@latest
Install only from the official package source, consider pinning a known version, and avoid running the CLI with elevated privileges.
The agent can use the authenticated connection to call available OpenGraph.io actions.
The skill requires logging into Membrane and creating an OpenGraph.io connection. This is expected for the integration, but it grants delegated account access through Membrane.
membrane login --tenant --clientName=<agentType>
Review the scopes/account being connected, use the least-privileged account practical, and revoke the connection when it is no longer needed.
If used carelessly, direct API calls could change OpenGraph.io account or service data rather than only reading metadata.
The skill documents a raw authenticated API proxy, including mutating HTTP methods. This is a common integration escape hatch and is bounded to the OpenGraph.io connection, but it is broader than named, scoped actions.
When the available actions don't cover your use case, you can send requests directly to the OpenGraph.io API through Membrane's proxy... HTTP method (GET, POST, PUT, PATCH, DELETE).
Prefer discovered named actions where possible and require clear user confirmation before POST, PUT, PATCH, or DELETE requests.
API requests and related authentication handling pass through Membrane rather than going only directly from the user to OpenGraph.io.
Authenticated OpenGraph.io requests are proxied through Membrane, which handles credential injection and refresh. This data flow is disclosed and purpose-aligned, but users should understand that Membrane is in the request path.
Membrane automatically appends the base URL to the path you provide and injects the correct authentication headers
Use this only if you are comfortable with Membrane acting as the integration gateway, and review Membrane/OpenGraph.io account settings for connected apps.