Miro Developer App
ReviewAudited by ClawScan on May 10, 2026.
Overview
This appears to be a coherent Miro integration, but it requires Membrane/Miro authentication and can run actions that may change Miro workspace data.
Before installing, make sure you trust Membrane and the npm CLI package. During use, review OAuth scopes and confirm any action that creates, modifies, deletes, or manages Miro boards, users, or board content.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the CLI globally can run third-party package code and later versions may differ from the version reviewed here.
The skill asks the user to install a global npm package at the mutable @latest version. This is expected for a Membrane CLI integration, but it relies on the external npm package supply chain.
npm install -g @membranehq/cli@latest
Install only if you trust Membrane and the npm package source; consider pinning or reviewing the CLI version in controlled environments.
The connected account may allow the agent to read or change Miro boards, members, and related data according to the granted scopes.
The integration requires delegated authentication and ongoing credential refresh for Membrane/Miro access. This is purpose-aligned, but it grants account-level authority to operate on Miro data.
Membrane handles authentication and credentials refresh automatically ... The user completes authentication in the browser.
Review OAuth scopes during login, use the least-privileged account appropriate for the task, and revoke the Membrane/Miro connection when it is no longer needed.
A mistaken or overly broad action could create or modify Miro workspace content or other account data.
The skill enables generic action execution and direct Miro API proxying. That is consistent with an integration skill, but it can perform broad read/write operations if used without careful user direction.
membrane action run <actionId> --connectionId=CONNECTION_ID --input '{"key": "value"}' --json ... When the available actions don't cover your use case, you can send requests directly to the Miro Developer App APIConfirm the exact action, endpoint, parameters, and expected effect before running create, update, delete, member-management, or direct proxy requests.
If provider-returned instructions were over-trusted, the agent could be steered into unintended follow-up actions.
The skill allows provider-returned connection state to include instructions for the agent. This can be useful setup guidance, but such text should not override the user's original goal or safety checks.
`clientAction.agentInstructions` (optional) — instructions for the AI agent on how to proceed programmatically.
Treat returned agent instructions as contextual hints only, and require user confirmation for high-impact or unrelated actions.