Appwrite
ReviewAudited by ClawScan on May 10, 2026.
Overview
This appears to be a real Appwrite/Membrane integration, but it gives the agent broad power to run Appwrite actions, including account and project mutations, without clear confirmation or scope limits.
Install only if you trust Membrane and intend to grant it access to your Appwrite environment. Use least-privilege credentials, pin or verify the CLI, and explicitly instruct the agent to ask before making any create, update, delete, membership, permission, storage, function, or project-changing operation.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked on an ambiguous request, the agent could make real changes to Appwrite backend data or accounts rather than only reading information.
The skill documents a generic action-discovery and action-run workflow that can perform mutating Appwrite operations, including user/team/database changes, without visible instructions to get explicit user confirmation or constrain the project/action scope.
Use action names and parameters as needed. ... Popular actions ... Create Database ... Create Document ... Create User ... Create Team ... membrane action run <actionId> --connectionId=CONNECTION_ID --input '{"key": "value"}' --jsonBefore using it, require the agent to confirm any create, update, delete, invitation, membership, function, storage, or permission-changing action, and restrict it to the intended Appwrite project/connection.
Using the skill may grant Membrane/CLI-based access to the connected Appwrite environment until the connection or credentials are revoked.
The skill requires delegated authentication through Membrane and Appwrite. This is expected for the stated integration, but it is sensitive account access and appears to persist through credential refresh.
Membrane handles authentication and credentials refresh automatically ... membrane login --tenant --clientName=<agentType> ... membrane connection ensure "https://appwrite.io/" --json
Use least-privilege Appwrite credentials, connect only the intended tenant/project, and revoke the Membrane connection when it is no longer needed.
The local tool being installed or executed may differ depending on the latest npm release at install time.
The documented setup uses unpinned npm/npx CLI commands, including a global install. This is user-directed and central to the integration, but it means the installed code can change over time.
npm install -g @membranehq/cli@latest ... npx @membranehq/cli connection get <id> --wait --json
Verify the npm package and publisher, consider pinning a known version, and install in a constrained environment if possible.
Appwrite account, project, and data operations may pass through Membrane rather than being handled only locally.
The integration routes Appwrite authentication and action execution through the external Membrane service. That data flow is disclosed and purpose-aligned, but users should understand that Appwrite requests and responses are mediated by Membrane.
This skill uses the Membrane CLI to interact with Appwrite. Membrane handles authentication and credentials refresh automatically
Review Membrane's trust, privacy, and access controls before connecting sensitive Appwrite projects.