Ibm Cloud
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent IBM Cloud integration, but it delegates cloud access through Membrane and can run broad IBM Cloud API actions, so users should review permissions carefully.
This skill appears consistent with an IBM Cloud integration and no code-level issues were provided. Before installing, understand that Membrane will broker authentication and the agent may be able to run authenticated IBM Cloud actions or raw API requests. Use a least-privilege IBM Cloud account and confirm any action that creates, changes, or deletes cloud resources.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill could make significant IBM Cloud changes if given or inferred the wrong request.
The skill documents a raw authenticated API proxy that can use mutating methods. This is aligned with an IBM Cloud management integration, but broad API access can change or delete cloud resources if used carelessly.
When the available actions don't cover your use case, you can send requests directly to the IBM Cloud API through Membrane's proxy... `-X, --method` | HTTP method (GET, POST, PUT, PATCH, DELETE).
Use least-privilege IBM Cloud credentials and require explicit user confirmation before POST, PUT, PATCH, or DELETE requests.
The connected account permissions determine what the agent can read or modify in IBM Cloud.
The skill relies on delegated IBM Cloud authentication through Membrane, including credential refresh and injected auth headers. This is expected for the integration, but it gives the connection authority over the linked cloud account.
Membrane handles authentication and credentials refresh automatically... Membrane automatically... injects the correct authentication headers
Connect only accounts or service identities with the minimum IBM Cloud permissions needed for the task.
Future CLI versions may behave differently from the version reviewed here.
The setup instructions ask the user to install the latest Membrane CLI globally from npm. This is a disclosed, purpose-aligned dependency, but using @latest is not version-pinned.
npm install -g @membranehq/cli@latest
If reproducibility matters, pin a known Membrane CLI version and install it from the official package source.
External connection guidance could influence how the agent proceeds during setup or recovery.
The skill allows Membrane connection state to return agent-facing instructions. This is normal integration workflow data, but agents should not treat externally returned instructions as overriding the user's intent.
`clientAction.agentInstructions` (optional) — instructions for the AI agent on how to proceed programmatically.
Treat returned agent instructions as advisory and keep user intent and approval requirements in control.