Stackshare
ReviewAudited by ClawScan on May 10, 2026.
Overview
This StackShare skill is mostly coherent, but it gives broad credential-backed StackShare API access, including raw write/delete requests, without clear approval or scope limits.
Install only if you are comfortable using Membrane as an intermediary for StackShare. Prefer predefined actions, review the connected account permissions, and require explicit confirmation before any action or proxy request that creates, updates, or deletes StackShare data.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent following this skill could make broad StackShare API calls, including modifying or deleting StackShare data, if it has a connected account.
The skill documents a raw API escape hatch with write and delete methods. That may be useful, but it bypasses safer predefined actions and does not include explicit user-confirmation or scope limits for high-impact account changes.
When the available actions don't cover your use case, you can send requests directly to the StackShare API through Membrane's proxy... `-X, --method` | HTTP method (GET, POST, PUT, PATCH, DELETE).
Use predefined Membrane actions where possible and require explicit user confirmation before any POST, PUT, PATCH, or DELETE request.
The skill can act through the user's connected StackShare account according to the permissions granted during authentication.
The skill relies on delegated Membrane and StackShare authentication. This is expected for the integration and no local secret capture is shown, but it grants ongoing account access through the connected service.
Membrane handles authentication and credentials refresh automatically... `membrane login --tenant`... The user completes authentication in the browser.
Connect only the intended StackShare account, review granted permissions, and revoke the Membrane connection when it is no longer needed.
The user will rely on the current published Membrane CLI package, which can change over time.
The skill asks the user to install and run an external CLI, including an @latest invocation. This is central to the skill's purpose and user-directed, but it is not pinned in the skill instructions.
`npm install -g @membranehq/cli` ... `npx @membranehq/cli@latest action list --intent=QUERY --connectionId=CONNECTION_ID --json`
Install the CLI from the expected package source, consider pinning a reviewed version, and avoid running unexpected commands outside the documented workflow.