Showpad
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is a normal-looking Showpad integration, but it gives the agent broad authenticated API-proxy power that could change or delete Showpad data without clear guardrails.
Only install this if you trust Membrane and need Showpad automation. Use a least-privileged Showpad connection, prefer built-in Membrane actions, and require explicit approval before any raw API call that creates, edits, shares, or deletes data.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used carelessly, the agent could make authenticated Showpad API calls that alter or delete business content, users, shares, or other account data.
The skill authorizes a broad authenticated API escape hatch, including write and delete methods, without scoping endpoints or requiring confirmation for destructive changes.
When the available actions don't cover your use case, you can send requests directly to the Showpad API through Membrane's proxy... `membrane request CONNECTION_ID /path/to/endpoint` ... HTTP method (GET, POST, PUT, PATCH, DELETE).
Use pre-built Membrane actions when possible. Require the user to specify and approve the exact endpoint, method, and request body before any POST, PUT, PATCH, or DELETE request.
The skill can access Showpad data according to the permissions granted to the connected account.
The skill depends on delegated Membrane and Showpad authentication. This is expected for the integration, but actions run with the connected account's privileges.
Membrane handles authentication and credentials refresh automatically... `membrane login --tenant` ... The user completes authentication in the browser.
Connect with the least-privileged Showpad account that can perform the intended task, and revoke the Membrane connection when it is no longer needed.
The user's environment will run code from the npm-distributed Membrane CLI, so package provenance and version changes matter.
The skill asks the user to install and run an external npm CLI package, including an @latest invocation. This is central to the stated purpose, but the package version is not pinned in the instructions.
`npm install -g @membranehq/cli` ... `npx @membranehq/cli@latest action list --intent=QUERY --connectionId=CONNECTION_ID --json`
Install the CLI only from the official package source, consider pinning a reviewed version, and avoid running unexpected npm/npx commands outside the documented workflow.