Celonis Ems
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent could run the wrong Celonis action or make a broad direct request, potentially changing business or organization data if the connected account has permission.
The skill exposes generic authenticated action execution and a direct-request fallback. For a Celonis EMS organization-management integration, this can reach high-impact account or business-data operations, but the provided instructions do not define approval, read-only limits, rollback, or scoping for mutations.
membrane action run <actionId> --connectionId=CONNECTION_ID --json ... ### Proxy requests ... When the available actions don't cover your use case, you can send requests directly
Use a least-privileged Celonis/Membrane account, inspect the action schema before running it, and require explicit user confirmation for any create, update, delete, admin, or proxy/direct request.
The skill can act with the permissions of the connected Celonis/Membrane account.
The skill clearly relies on Membrane/Celonis account authentication and automatic credential refresh. This is expected for the integration, but it grants delegated access to the user's Celonis environment.
Membrane handles authentication and credentials refresh automatically ... membrane login --tenant --clientName=<agentType>
Connect only accounts with the minimum permissions needed and review active Membrane/Celonis connections regularly.
The installed CLI version may change over time and runs with the user's local permissions.
The skill asks for a global npm install of the latest Membrane CLI. This is central to the stated purpose, but @latest is unpinned and the registry metadata says there are no required binaries.
npm install -g @membranehq/cli@latest
Verify the npm package source, consider pinning a known-good version, and install it in a controlled environment where possible.