Tempo
Security checks across static analysis, malware telemetry, and agentic risk
Overview
Tempo appears to be a legitimate Membrane-based integration, but it gives the agent broad authenticated API access, including write and delete requests, without clear approval or scope limits.
Install only if you trust Membrane and need an agent to work with Tempo data. Before allowing changes, ask the agent to show the exact action or API request it will run, and require explicit approval for any operation that creates, updates, or deletes records.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent chooses the wrong endpoint or parameters, it could create, modify, or delete Tempo business records such as worklogs, accounts, teams, projects, or schedules.
The skill documents a raw authenticated API escape hatch with mutating and deleting HTTP methods, but does not define confirmation requirements, allowed endpoints, or rollback safeguards.
When the available actions don't cover your use case, you can send requests directly to the Tempo API through Membrane's proxy... HTTP method (GET, POST, PUT, PATCH, DELETE).
Prefer discovered Membrane actions over raw proxy requests, and require explicit user approval before any POST, PUT, PATCH, or DELETE operation.
The agent can act through an authenticated Tempo connection, so its effective permissions depend on the connected account and granted scopes.
The skill relies on Membrane-managed authentication and refresh for access to Tempo. This is expected for the integration, but it is still delegated account authority.
Membrane handles authentication and credentials refresh automatically
Use a least-privilege Tempo/Membrane connection where possible, verify the tenant and account before connecting, and revoke access when no longer needed.
The installed CLI version may change over time, so future installs could run different code than the version considered when installing the skill.
The skill asks the user to install the latest global Membrane CLI from npm. This is user-directed and central to the skill, but @latest is not pinned to a reviewed version.
npm install -g @membranehq/cli@latest
Install from a trusted environment, consider pinning a known CLI version, and review the package source or publisher before installing globally.
Tempo record data and request details may pass through Membrane while performing integration actions.
Tempo API requests and responses are routed through Membrane's provider/proxy layer. This is disclosed and purpose-aligned, but users should be aware of the third-party data path.
send requests directly to the Tempo API through Membrane's proxy... injects the correct authentication headers
Confirm that Membrane's data handling and logging practices meet your organization's requirements before using it with sensitive Tempo data.