Nango
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is a coherent Nango integration, but it gives the agent broad authenticated API access through Membrane, including write/delete-capable proxy requests, without clear approval or scoping guidance.
Install only if you are comfortable letting the agent use Membrane-authenticated access to your Nango account. Before any write or delete action, ask the agent to show the exact connection, endpoint/action, method, and parameters, and approve it explicitly.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or overbroad request could change or delete Nango account data such as connections, users, or groups.
This gives the agent a broad authenticated API escape hatch, including mutating and deleting methods, without clear artifact-level limits or explicit user approval requirements.
When the available actions don't cover your use case, you can send requests directly to the Nango API through Membrane's proxy... Common options: ... HTTP method (GET, POST, PUT, PATCH, DELETE).
Require explicit user confirmation before any POST, PUT, PATCH, or DELETE request, prefer listed actions over raw proxy calls, and scope each request to the specific connection and object the user named.
The agent may be able to use the user's Membrane/Nango-connected authority for API actions while the connection remains valid.
The skill relies on delegated credentials managed by Membrane. This is expected for a Nango integration, but it means the agent can act through the user's authenticated account.
Membrane handles authentication and credentials refresh automatically
Use a least-privileged Membrane/Nango account where possible and revoke the connection if you no longer want the agent to have access.
The installed CLI version could change over time, so behavior may differ from what was reviewed in this skill artifact.
The installation uses a global npm package at the latest version. This is purpose-aligned, but it is not pinned to a specific reviewed version.
npm install -g @membranehq/cli@latest
Install from a trusted environment, consider pinning a known CLI version, and review the package source or publisher before use.