Mslm Cloud
ReviewAudited by ClawScan on May 10, 2026.
Overview
This appears to be a real Mslm Cloud integration, but it gives the agent broad authenticated API access, including changing or deleting cloud resources, with limited built-in scoping.
Install only if you are comfortable giving Membrane-mediated access to your Mslm Cloud account. Use a least-privileged account where possible, confirm any write/delete or user-organization changes before execution, and consider pinning the Membrane CLI version rather than using @latest.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent uses this too broadly or on the wrong connection, it could change or delete Mslm Cloud data, users, organizations, files, or sharing settings.
This documents a broad authenticated API escape hatch, including mutating and deleting requests, without clear confirmation, scope, or rollback guidance.
When the available actions don't cover your use case, you can send requests directly to the Mslm Cloud API through Membrane's proxy... `-X, --method` | HTTP method (GET, POST, PUT, PATCH, DELETE).
Prefer scoped prebuilt actions, require explicit user confirmation before POST/PUT/PATCH/DELETE or user/org changes, and verify the exact connection, endpoint, and payload before running raw proxy requests.
The agent may act with the permissions of the connected Mslm Cloud/Membrane account.
The integration uses delegated account credentials and automatic refresh. That is expected for Mslm Cloud access, but it gives the agent ongoing authenticated authority through Membrane.
Membrane handles authentication and credentials refresh automatically... Membrane automatically... injects the correct authentication headers — including transparent credential refresh if they expire.
Authenticate only the intended account, use the least-privileged account or connection available, and revoke the Membrane connection when no longer needed.
A future CLI release or npm supply-chain issue could affect what is executed locally.
The documented setup installs the latest Membrane CLI globally from npm, so the exact code run can change over time.
npm install -g @membranehq/cli@latest
Install from the official package source, consider pinning a reviewed CLI version, and avoid running global installs in highly sensitive environments without review.
Remote setup instructions could influence how the agent proceeds if treated as authoritative.
The skill may expose service-provided instructions to the agent during connection setup. This can be useful, but such text should not override the user's actual request or safety constraints.
`clientAction.agentInstructions` (optional) — instructions for the AI agent on how to proceed programmatically.
Treat returned agent instructions as advisory data, and keep user intent, approval requirements, and safety rules authoritative.