Finage
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a normal Finage market-data integration, with the main cautions being that it asks users to install and log into the Membrane CLI.
This skill looks coherent for accessing Finage market data. Before installing, make sure you trust Membrane, understand that the CLI may store/refresh login credentials, and confirm that any actions are run only against the intended Finage connection.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing a global CLI gives that package local execution capability on the user’s machine.
The skill asks the user to install a global CLI package from npm using the mutable @latest tag. This is relevant supply-chain exposure, but it is disclosed and central to the Membrane-based integration.
npm install -g @membranehq/cli@latest
Install only if you trust Membrane and npm package provenance; consider pinning a specific CLI version where possible.
The user may need to authenticate a Membrane account and connect Finage so the agent can query data through that connection.
The skill uses Membrane-managed authentication and token refresh for Finage access. This is expected for the integration, but it means the user is delegating account access to Membrane.
Membrane handles authentication and credentials refresh automatically
Authenticate only the intended account and verify the Finage connection before allowing actions to run.
Queries and connection setup may pass through Membrane rather than going directly from the agent to Finage.
The integration routes Finage access through Membrane’s connection system. This is disclosed and purpose-aligned, but users should recognize that a third-party service mediates the connection.
Use `membrane connection ensure` to find or create a connection by app URL or domain
Review Membrane’s account and connection settings and avoid sending sensitive or unintended data through the connection.