Security Journey
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This looks like a coherent Security Journey integration, but it gives the agent broad authenticated API access through Membrane, including mutation and delete methods, without clear approval limits.
Install only if you trust Membrane and need Security Journey automation. Pin or verify the CLI package if possible, authenticate only the intended tenant, and require explicit confirmation before any action that creates, updates, or deletes Security Journey data.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent mistake or overly broad request could change or delete Security Journey records such as users, enrollments, assignments, or reports.
This documents a broad authenticated API escape hatch, including mutating and deleting methods, without provided scoping or confirmation requirements.
When the available actions don't cover your use case, you can send requests directly to the Security Journey API through Membrane's proxy... HTTP method (GET, POST, PUT, PATCH, DELETE)
Prefer scoped Membrane actions where possible, and require explicit user confirmation before POST, PUT, PATCH, or DELETE requests.
The Membrane connection may retain access to the selected Security Journey account until the user revokes it.
Credential handling and refresh are expected for this integration, but users should understand they are delegating account access through Membrane.
Membrane handles authentication and credentials refresh automatically
Authenticate only the intended tenant/account, use least-privilege access where available, and revoke the connection when no longer needed.
Future npm package changes could affect what code is installed or executed locally.
The skill relies on a globally installed npm CLI using the moving @latest version, which is normal for setup but less reproducible than a pinned version.
npm install -g @membranehq/cli@latest
Install from a trusted npm source, consider pinning a reviewed CLI version, and keep the CLI updated intentionally.
Security Journey data may pass through Membrane while the integration is used.
Security Journey requests, responses, and authentication context are routed through Membrane as a gateway, which is disclosed and purpose-aligned but creates a third-party data boundary.
send requests directly to the Security Journey API through Membrane's proxy. Membrane automatically ... injects the correct authentication headers
Use this only if you trust Membrane for the relevant tenant data, and avoid sending unnecessary sensitive information through proxy requests.