Act 365
ReviewAudited by ClawScan on May 10, 2026.
Overview
This appears to be a legitimate Act! 365 CRM integration, but it gives the agent broad authenticated CRM access through Membrane, including a raw API proxy without clear guardrails.
Install this only if you trust Membrane and need agent access to Act! 365. Use the least-privileged CRM account available, prefer named actions over raw proxy calls, confirm any create/update/delete or bulk operation before it runs, and revoke the connection when finished.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could potentially read or change more CRM data than the user expected if it uses broad Act! 365 API endpoints.
This is a raw authenticated API escape hatch beyond the listed action interface. The artifact does not clearly bound what endpoints, methods, or mutations the agent may use through the proxy.
When the available actions don't cover your use case, you can send requests directly to the Act! 365 API through Membrane's proxy... injects the correct authentication headers
Prefer the named Membrane actions where possible, require explicit user confirmation before write/delete/bulk operations, and restrict proxy use to specific user-approved endpoints.
CRM operations may be performed with the authority of the connected Membrane/Act! 365 account.
The skill relies on delegated authentication and automatic credential refresh. That is expected for an Act! 365 integration, but it means actions run with the user's connected account privileges.
Membrane handles authentication and credentials refresh automatically
Use a least-privileged Act! 365 account where possible and revoke the Membrane connection when it is no longer needed.
The installed CLI version may change over time, so future behavior depends on the current npm package.
The setup installs a global npm CLI at the latest available version. This is central to the skill's purpose, but it is not pinned to a reviewed version.
npm install -g @membranehq/cli@latest
Install only from the trusted npm package source and consider pinning a specific CLI version in controlled environments.
A setup response could steer the agent's next steps during connection setup.
The skill allows setup responses to include instructions for the agent. This is useful integration plumbing, but remote instructions should not override the user's original goal or approval boundaries.
clientAction.agentInstructions (optional) — instructions for the AI agent on how to proceed programmatically
Treat returned agent instructions as advisory data, and ask the user before taking ambiguous or high-impact actions.
CRM requests and responses may pass through Membrane while using this skill.
The integration routes Act! 365 API activity through Membrane as a proxy/gateway. This is disclosed and purpose-aligned, but it is an important data-boundary consideration.
you can send requests directly to the Act! 365 API through Membrane's proxy
Install only if you trust Membrane to mediate Act! 365 access and handle the associated CRM data.