Svix
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent uses this capability incorrectly, it could create, modify, or delete Svix account data through the user's authenticated connection.
This grants a raw authenticated API escape hatch, including write and delete methods, without the supplied text showing scoping, confirmation, or rollback controls.
When the available actions don't cover your use case, you can send requests directly to the Svix API through Membrane's proxy... `-X, --method` | HTTP method (GET, POST, PUT, PATCH, DELETE).
Require explicit user approval for POST, PUT, PATCH, and DELETE requests; prefer scoped pre-built actions; document allowed endpoints and destructive-operation safeguards.
The user is delegating access to Svix through Membrane, so actions may be performed with the connected account's permissions.
The skill uses delegated account credentials and automatic refresh, which is expected for a Svix integration but gives the integration ongoing authority.
Membrane handles authentication and credentials refresh automatically
Use a least-privileged Svix/Membrane account where possible, review granted scopes, and know how to revoke the connection.
A changed or compromised npm package could affect what runs locally when the user installs or invokes the CLI.
The installation path depends on the latest npm package at runtime, so the executed CLI may differ from what was reviewed.
npm install -g @membranehq/cli@latest
Prefer a pinned CLI version, install from a trusted environment, and verify the package source before use.
Requests, responses, and authentication context may be handled by the Membrane service while interacting with Svix.
Svix API traffic and authentication handling pass through Membrane as an intermediary, which is disclosed and purpose-aligned but important for data-boundary awareness.
send requests directly to the Svix API through Membrane's proxy... injects the correct authentication headers
Use this only if the user trusts Membrane as an API gateway for the connected Svix account and understands what data may pass through it.