ClawHub
Back to skill
v1.0.2

Holded

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 7:25 AM.

Analysis

This appears to be a legitimate Holded/Membrane integration, but it gives broad authenticated access to read and change business data, including raw API requests, so it should be reviewed carefully before installation.

GuidanceInstall only if you are comfortable connecting Membrane to your Holded business account. Use least-privileged access, prefer prebuilt read-only or scoped actions, and require explicit confirmation before creating, updating, deleting, or using raw proxy API requests.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityHighConfidenceHighStatusConcern
SKILL.md
Proxy requests ... send requests directly to the Holded API through Membrane's proxy ... `-X, --method` | HTTP method (GET, POST, PUT, PATCH, DELETE)

The skill exposes an authenticated raw API path, including write and delete methods, instead of only scoped prebuilt actions.

User impactA mistaken or overbroad request could create, change, or delete important business, financial, CRM, or HR records in Holded.
RecommendationRequire explicit user confirmation before any non-GET or raw proxy request, prefer prebuilt scoped actions where possible, and use least-privileged Holded access.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
npm install -g @membranehq/cli

The user is directed to install a global npm CLI outside the registry install spec; this is user-directed and purpose-aligned, but it adds third-party code to the local environment.

User impactInstalling the global CLI affects the local system and depends on the integrity of the npm package source.
RecommendationInstall only from the official package/source, verify the package name, and keep the CLI updated.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusNote
SKILL.md
membrane login --tenant ... Membrane handles authentication and credentials refresh automatically

The skill relies on delegated Membrane/Holded authentication and persistent credential refresh, which is expected for this integration but sensitive.

User impactCommands run through this skill can act with the permissions of the connected Holded account.
RecommendationConnect only an appropriate least-privileged account, review the permissions granted during authentication, and revoke the connection when no longer needed.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityMediumConfidenceHighStatusNote
SKILL.md
send requests directly to the Holded API through Membrane's proxy ... injects the correct authentication headers

Holded API traffic and authentication mediation flow through Membrane as a gateway; this is disclosed, but the artifact does not describe logging, retention, or data-handling boundaries.

User impactBusiness data sent to or received from Holded may pass through Membrane's service during proxy requests.
RecommendationReview Membrane's data-handling terms and avoid sending unnecessary sensitive accounting, HR, or customer data through raw proxy requests.