Datascope
ReviewAudited by ClawScan on May 10, 2026.
Overview
The visible artifacts look like a purpose-aligned DataScope integration, but it uses Membrane authentication/CLI and can run actions that change DataScope records.
Before installing, make sure you trust Membrane's CLI package and are comfortable connecting your DataScope account through Membrane. Use least-privilege credentials and require explicit confirmation before running any create, update, bulk update, or delete-like action.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the CLI runs and trusts external package code on the local machine.
The skill depends on a globally installed external npm CLI using the moving @latest tag. This is disclosed and purpose-aligned, but users should notice the unpinned external dependency.
npm install -g @membranehq/cli@latest
Install only from the expected Membrane npm package, consider pinning a known version, and avoid running the install with unnecessary privileges.
The integration may be able to access or modify DataScope data according to the connected account's permissions.
The skill uses Membrane account authentication and credential refresh to access DataScope. This is expected for the stated integration, but it grants delegated account access.
Requires network access and a valid Membrane account ... Membrane handles authentication and credentials refresh automatically
Use a least-privilege DataScope/Membrane account where possible, review connection permissions, and revoke the connection if you stop using the skill.
A mistaken or overbroad action could change or remove DataScope metadata, locations, or form-answer data.
The documented workflow can run arbitrary discovered Membrane actions for the DataScope connection, including bulk update and soft-delete-capable operations. This matches a management integration but can have high impact.
membrane action run <actionId> --connectionId=CONNECTION_ID --input ...; Bulk Update Metadata Objects ... soft delete support
Confirm create/update/bulk/delete actions with the user, inspect action schemas and inputs, and test on low-risk records before applying broad changes.
Provider-returned instructions could influence the agent's next steps during connection setup.
The skill tells the agent that Membrane connection responses may include programmatic instructions. This can be legitimate setup guidance, but retrieved instructions should not override the user's request or safety checks.
clientAction.agentInstructions (optional) — instructions for the AI agent on how to proceed programmatically
Treat returned agent instructions as advisory, keep them scoped to the requested DataScope connection task, and ignore any instruction that conflicts with the user's intent.