Calltrackingmetrics
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is a coherent CallTrackingMetrics integration, but it requires Membrane login/credential handling and can perform impactful account actions such as sending SMS, deleting contacts, and purchasing numbers.
Install only if you trust Membrane and are comfortable connecting your CallTrackingMetrics account. Before allowing actions, confirm the exact account, action, and parameters, especially for sending SMS, deleting or updating contacts, changing routing, or purchasing phone numbers.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing a global CLI from npm can change the local environment, and @latest may install different code over time.
The skill directs installation of a global npm CLI using the moving @latest tag. This is central to the skill's stated Membrane workflow, but the exact package version is not pinned in the artifact.
npm install -g @membranehq/cli@latest
Install only from the trusted Membrane npm package source, consider pinning a known version, and use a controlled environment if possible.
Membrane and the resulting CallTrackingMetrics connection may retain access needed to read or manage account data until access is revoked.
The skill requires delegated authentication through Membrane and indicates that credential refresh is handled automatically. This is expected for a third-party API integration, but it grants persistent account access.
Membrane handles authentication and credentials refresh automatically
Use the least-privileged CallTrackingMetrics account available, review granted scopes/permissions, and revoke the Membrane connection when it is no longer needed.
A mistaken or overly broad request could change account data, send texts, affect call routing, or buy phone numbers.
The listed available actions include operations that can send messages, delete or update business data, change phone routing, or incur purchases. These are aligned with managing CallTrackingMetrics, but they are high-impact actions.
| Send SMS | send-sms | ... | Delete Contact | delete-contact | ... | Purchase Number | purchase-number | ... | Update Number Routing | update-number-routing |
Require an explicit user confirmation and a parameter preview before purchases, deletions, SMS sends, routing changes, or other irreversible account mutations.
CallTrackingMetrics data and commands may be processed through the Membrane service as part of the integration flow.
The integration is mediated through Membrane rather than directly embedded in the skill. This gateway use is disclosed and purpose-aligned, but users should understand where requests, responses, and authentication state are handled.
This skill uses the Membrane CLI to interact with Calltrackingmetrics.
Review Membrane's data-handling terms and connection settings before using it with sensitive call logs, contacts, messages, or account information.
Provider-returned guidance could influence the agent's next steps during setup or connection recovery.
The skill documents that a connection response may contain instructions for the agent. This is part of the integration workflow, but external instructions should not override the user's goal or safety checks.
clientAction.agentInstructions (optional) — instructions for the AI agent on how to proceed programmatically.
Treat returned agentInstructions as untrusted workflow hints and continue to follow the user's explicit request, approval requirements, and safety boundaries.