Blink
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is a Membrane-based Blink connector, but it mixes Blink service identities and enables broad OAuth-backed actions such as deleting linked accounts or sending organization-wide feed events without clear confirmation boundaries.
Review this skill before installing. Confirm which Blink product it actually targets, install the Membrane CLI only if you trust that package, and require explicit approval before the agent runs any delete, update, send, or organization-wide action.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may misunderstand which Blink product is being connected and what data or account permissions the agent will receive.
The skill presents inconsistent Blink identities: an IT/on-call automation description, Blink-for-Home developer docs, and a JoinBlink connection URL. Because the skill asks the user to authenticate, this ambiguity could cause users to connect or trust the wrong service.
Blink is an app that helps IT teams automate on-call tasks and resolve incidents faster. ... Official docs: https://developer.blinkforhome.com/ ... membrane connection ensure "https://joinblink.com/" --json
Clarify the exact Blink service, docs, OAuth destination, and supported actions before installing or authenticating.
If used carelessly, the agent could modify account records or send/archive feed events affecting many users.
The documented workflow lets the agent run generic Membrane actions, including delete/update operations and organization-wide feed actions, without clear instructions to obtain explicit user confirmation or limit scope for high-impact changes.
Delete User Linked Account ... Update User Linked Account ... Archive Feed Event | Dismiss a feed event for all recipients. ... Send Feed Event | Send a feed event to users in your organisation. ... membrane action run <actionId> --connectionId=CONNECTION_ID --json
Require explicit user approval for delete, update, send, archive, or organization-wide actions, and show the target connection, action, and parameters before running them.
Membrane and the configured connection may retain the ability to act on the connected Blink account until access is revoked.
The skill discloses delegated authentication through Membrane and automatic credential refresh. This is expected for the integration, but it grants sensitive account authority.
Membrane handles authentication and credentials refresh automatically ... membrane login --tenant --clientName=<agentType>
Authenticate only to the intended account, review granted scopes where available, and revoke the connection when no longer needed.
The behavior of the installed CLI can change over time and is outside this static review.
The skill depends on a globally installed npm CLI at the latest version. This is disclosed and purpose-aligned, but the installed external code is not included in the reviewed artifacts or pinned to a specific version.
npm install -g @membranehq/cli@latest
Install from a trusted environment, consider pinning a reviewed CLI version, and verify the package source before use.