Commcare
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill is a plausible CommCare integration, but it exposes very broad data and administration actions without clear limits or confirmation guidance.
Review before installing. This skill may be useful for CommCare automation, but use a least-privilege Membrane/CommCare account and require explicit confirmation before any write, import, export, user/role, settings, subscription, or project-transfer action.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked too broadly, the agent could alter workflows, users, roles, exports, imports, or project-level settings in a CommCare environment.
The skill describes broad CommCare data and administrative capabilities, including imports/exports and project/account-level objects, but the visible instructions do not set approval, scoping, rollback, or read-only boundaries.
Manage data, records, and automate workflows ... Bulk Export ... Project Setting ... Project Transfer ... User Role ... Case Rule Import ... Use action names and parameters as needed.
Use only with explicit user-directed tasks, prefer least-privilege CommCare/Membrane access, and require confirmation before any create, update, delete, import, export, project transfer, user, role, or settings change.
The agent may act through a logged-in Membrane/CommCare connection with whatever permissions that account has.
The integration requires authenticating through Membrane and delegates credential handling/refresh to that service, which is expected for this purpose but still grants account authority.
Requires network access and a valid Membrane account ... Membrane handles authentication and credentials refresh automatically ... membrane login --tenant --clientName=<agentType>
Connect a least-privilege account and review which CommCare domains, projects, and permissions the Membrane connection can access.
The local CLI code the user installs may differ depending on when the command is run.
The skill asks the user to install a global npm CLI using the moving @latest tag. This is central to the stated integration, but it means the installed code can change over time.
npm install -g @membranehq/cli@latest
Install from the official source, consider pinning a trusted version, and keep the CLI updated through normal change-control practices.
Sensitive CommCare case, form, user, or project data may be accessed through a third-party integration service.
CommCare access is mediated through Membrane, an external integration layer. This is disclosed and purpose-aligned, but it means sensitive CommCare data and credentials may be handled through that provider boundary.
This skill uses the Membrane CLI to interact with CommCare. Membrane handles authentication and credentials refresh automatically
Confirm that Membrane is an approved integration path for the CommCare data involved, and avoid using this skill for protected data unless the account and provider controls are appropriate.