Fieldpulse
ReviewAudited by ClawScan on May 10, 2026.
Overview
This appears to be a legitimate FieldPulse integration, but it can use authenticated access to change business records without clear approval guardrails in the supplied instructions.
Review this before installing if your FieldPulse account contains customer, invoice, payment, or scheduling data. Use a least-privileged account, verify every create/update action before it runs, and be aware that the workflow depends on an external Membrane CLI and authenticated Membrane connection.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked with the wrong intent or inputs, the agent could create or alter customer, job, or location records in a real FieldPulse account.
The skill exposes dynamic action selection and includes actions that create or update FieldPulse business records. In the supplied artifact, those mutation actions are not paired with clear confirmation, scoping, or rollback requirements.
Search using a natural language description ... membrane action list --connectionId=CONNECTION_ID --intent "QUERY" ... | Create Customer | create-customer | ... | Create Job | create-job | ... | Update Customer | update-customer |
Require explicit user confirmation before any create, update, payment, invoice, or other mutating action; show the target record and proposed changes before execution; prefer least-privileged FieldPulse access.
The agent may be able to access FieldPulse data under the connected account's permissions.
The integration requires delegated authenticated access through Membrane, including credential refresh. That is expected for a FieldPulse integration, but it is sensitive account authority.
Requires network access and a valid Membrane account ... Membrane handles authentication and credentials refresh automatically
Connect only the intended FieldPulse account, use the minimum permissions available, and revoke the Membrane connection when no longer needed.
The behavior of the CLI may depend on the current npm package version rather than a reviewed, pinned version.
The skill asks the user to install a global external npm CLI using the moving @latest tag. This is central to the stated Membrane workflow, but the installed code is outside the supplied artifact and can change over time.
npm install -g @membranehq/cli@latest
Install from the official source, consider pinning a known version, and review the Membrane CLI package before granting it account access.