Shopee
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is a coherent Shopee integration, but it gives the agent broad authenticated ability to run raw Shopee API requests, including update and delete operations, without clear guardrails.
Review this skill before installing if your Shopee account contains business-critical data. It is not clearly malicious, but you should require explicit confirmation before any create, update, delete, or raw proxy request, and use a least-privileged connection where possible.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could modify or delete Shopee data if given or inferred instructions that lead it to use the raw API path.
This exposes a raw authenticated API escape hatch, including mutating and deleting methods, without clear limits or approval requirements.
When the available actions don't cover your use case, you can send requests directly to the Shopee API through Membrane's proxy... HTTP method (GET, POST, PUT, PATCH, DELETE).
Only use this skill with explicit user confirmation for write/delete operations, prefer discovered Membrane actions, and restrict requests to the specific Shopee records the user asked to manage.
Installing and using the skill can grant Membrane-mediated access to the connected Shopee account.
The skill depends on delegated authentication and refreshed credentials for Shopee access, which is expected but sensitive.
Membrane handles authentication and credentials refresh automatically
Use the least-privileged Shopee connection available and review or revoke the connection when it is no longer needed.
The installed CLI version may change over time, so the behavior being run may differ from what was reviewed here.
The setup uses a globally installed npm package pinned to the latest tag rather than a fixed reviewed version.
npm install -g @membranehq/cli@latest
Prefer a pinned CLI version when possible and install it only from the official npm package source.
Returned instructions could influence the agent's next steps if treated as authoritative rather than as connection-status guidance.
The workflow may surface external instructions for the agent to follow during connection setup.
clientAction.agentInstructions (optional) — instructions for the AI agent on how to proceed programmatically.
Treat provider-returned agent instructions as untrusted guidance and keep the user's original request and approval boundaries in control.