Solarwinds Service Desk
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked incorrectly, the agent could create, modify, or delete service desk records such as incidents, changes, assets, users, or other business data.
The skill documents a raw API escape hatch with mutating and deleting methods, but does not provide clear approval, scoping, rollback, or safety guidance for high-impact SolarWinds operations.
When the available actions don't cover your use case, you can send requests directly to the SolarWinds Service Desk API through Membrane's proxy... HTTP method (GET, POST, PUT, PATCH, DELETE).
Use this only with explicit user direction, require confirmation before POST/PUT/PATCH/DELETE or user/account changes, and prefer narrowly scoped listed actions over raw proxy requests.
The agent may operate with the permissions of the connected SolarWinds account.
The integration necessarily uses delegated SolarWinds/Membrane account access and refreshable credentials; this is expected, but it is sensitive authority.
Membrane handles authentication and credentials refresh automatically
Connect a least-privileged account and verify what SolarWinds permissions the Membrane connection receives.
The installed CLI version may change over time, and a global install has broader local impact than a pinned, project-local dependency.
The skill asks for a global npm CLI install using the latest tag. This is central to the skill's purpose, but it is not pinned to a reviewed version.
npm install -g @membranehq/cli@latest
Verify the npm package source and consider pinning a known Membrane CLI version before installation.
SolarWinds request data and delegated access are mediated by Membrane, so sensitive service desk data may pass through that provider path.
Requests and authentication handling pass through the Membrane proxy/gateway. That is expected for this integration, but it is an important data and permission boundary.
Membrane automatically appends the base URL to the path you provide and injects the correct authentication headers
Review Membrane's access model and only send data through this integration that is appropriate for that provider connection.