Digicert
ReviewAudited by ClawScan on May 10, 2026.
Overview
This appears to be a coherent DigiCert integration, but it requires account authentication and can perform high-impact certificate and account-management actions.
Before installing, confirm you trust Membrane and the npm CLI source, use a least-privileged DigiCert account, and require explicit approval before the agent revokes certificates or deletes domains, organizations, users, or other account resources.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used carelessly, the agent could disrupt certificate operations, remove domains or organizations, or revoke certificates in the user's DigiCert account.
The skill advertises DigiCert actions that can delete account resources or revoke certificates. These are aligned with a DigiCert management integration, but they are high-impact operations.
| Delete Organization | delete-organization | Delete an organization from your account | ... | Delete Domain | delete-domain | Delete a domain from your account | ... | Revoke Certificate | revoke-certificate | Revoke a specific certificate |
Require explicit user confirmation before any create, delete, reissue, duplicate, or revoke operation, and review the exact target resource and parameters before execution.
Installing and using the skill may give Membrane-mediated tools access to DigiCert account data and management actions.
The integration requires delegated authentication through Membrane and DigiCert, and Membrane may refresh credentials automatically. This is expected for the stated purpose but grants sensitive account authority.
Membrane handles authentication and credentials refresh automatically ... membrane login --tenant --clientName=<agentType> ... The user completes authentication in the browser.
Use the least-privileged DigiCert account or token available, review the requested scopes during login, and revoke the connection when it is no longer needed.
The behavior of the installed CLI can change over time as @latest updates, and global npm installs affect the user's local environment.
The documented setup installs a global CLI package from npm using the moving @latest tag. This is a normal setup step for this Membrane-based skill, but it relies on external package provenance and future updates.
npm install -g @membranehq/cli@latest
Install from the official package source, consider pinning a reviewed CLI version, and keep the CLI updated through trusted channels.
Remote setup guidance could influence what the agent does next during connection workflows.
The skill allows remote Membrane connection responses to provide instructions to the agent. This is disclosed integration behavior, but such instructions should remain subordinate to the user's request and safety checks.
`clientAction.agentInstructions` (optional) — instructions for the AI agent on how to proceed programmatically.
Treat returned agent instructions as untrusted operational guidance, not as permission to bypass user intent or perform sensitive actions without approval.