Apisecai
ReviewAudited by ClawScan on May 10, 2026.
Overview
This looks like a real Apisec.ai/Membrane integration, but it should be reviewed because it allows broad authenticated API calls, including changes and deletes, without clear confirmation limits.
Install only if you trust Membrane and are comfortable granting it access to Apisec.ai. Before use, decide who can approve write/delete operations, prefer scoped Membrane actions over raw proxy requests, use least-privileged credentials, and consider pinning the CLI version instead of installing the latest package globally.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A vague or mistaken task could lead the agent to modify or delete Apisec.ai account data, integrations, or user-related records through authenticated API calls.
This exposes a broad authenticated API escape hatch, including mutating and deleting methods, without an explicit requirement for user confirmation or endpoint scoping.
When the available actions don't cover your use case, you can send requests directly to the Apisec.ai API through Membrane's proxy... injects the correct authentication headers... HTTP method (GET, POST, PUT, PATCH, DELETE).
Require explicit user approval before any non-read API call, prefer discovered scoped actions over raw proxy requests, and use the least-privileged Apisec.ai/Membrane connection available.
Installing and using the skill may give Membrane-mediated tooling access to Apisec.ai data and actions under the authenticated account.
The skill requires delegated account authentication and ongoing credential refresh, which is expected for this integration but grants meaningful account access.
Membrane handles authentication and credentials refresh automatically... membrane login --tenant --clientName=<agentType>
Use a dedicated or least-privileged account where possible, review granted permissions, and revoke the Membrane connection when it is no longer needed.
Future changes to the npm package could affect what code runs locally when using the integration.
The setup uses a globally installed npm package pinned to latest rather than a reviewed version or lockfile. This is a normal setup step for the skill but carries supply-chain change risk.
npm install -g @membranehq/cli@latest
Verify the package source, consider pinning a known-good CLI version, and install it in a controlled environment.
Security-related Apisec.ai data may pass through Membrane infrastructure during action discovery, action execution, or proxy requests.
API requests, responses, and authentication handling are mediated by Membrane as an external gateway. This is disclosed and purpose-aligned, but it is an important data boundary.
send requests directly to the Apisec.ai API through Membrane's proxy... injects the correct authentication headers
Review Membrane's data-handling terms and avoid sending unnecessary secrets or sensitive payloads through raw proxy calls.