Manifestly Checklists
ReviewAudited by ClawScan on May 10, 2026.
Overview
This appears to be a genuine Manifestly integration, but it gives broad authenticated access that can change or delete business data without clearly shown guardrails.
Install only if you are comfortable granting Membrane-backed access to your Manifestly account. Use a least-privileged account where possible, pin the CLI version in managed environments, and require explicit confirmation before the agent creates, updates, deletes, or manages users and teams.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill could make broad changes to Manifestly business data, including users or teams, if given or inferred the wrong instruction.
This documents a broad authenticated API escape hatch, including mutating and delete methods, rather than only scoped prebuilt actions.
When the available actions don't cover your use case, you can send requests directly to the Manifestly Checklists API through Membrane's proxy... `-X, --method` | HTTP method (GET, POST, PUT, PATCH, DELETE).
Only use this skill with a Manifestly account whose permissions are appropriate, and require explicit user confirmation before create, update, delete, user-management, or team-management operations.
The skill can act through the connected Manifestly account, so its effective permissions depend on that account and connection.
The skill requires delegated authentication through Membrane and keeps the connection usable through credential refresh.
Membrane handles authentication and credentials refresh automatically... The user completes authentication in the browser. The output contains the new connection id.
Connect the least-privileged Manifestly account that will work, and review or revoke the Membrane connection when it is no longer needed.
Future CLI versions could behave differently from the version reviewed here.
The setup uses a global npm install of the latest CLI version, which is purpose-aligned but not pinned to a specific reviewed version.
npm install -g @membranehq/cli@latest
Prefer a pinned Membrane CLI version in controlled environments, and install it from a trusted npm configuration.
Business data sent to or received from Manifestly may pass through Membrane’s service as part of the integration.
Manifestly API traffic and authentication handling are routed through Membrane as a gateway/proxy.
you can send requests directly to the Manifestly Checklists API through Membrane's proxy. Membrane automatically... injects the correct authentication headers
Confirm that using Membrane as an intermediary is acceptable for the data involved and for your organization’s policies.