Insightly
ReviewAudited by ClawScan on May 10, 2026.
Overview
This looks like a legitimate Insightly CRM integration, but it gives the agent broad authenticated ability to change or delete business data through Membrane with limited visible guardrails.
Install only if you trust Membrane and intend to let the agent work with your Insightly CRM. Before allowing write or delete operations, ask the agent to show the exact action, endpoint, record IDs, and payload, and require explicit confirmation for any changes to business records.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent misunderstands a request or receives bad instructions, it could modify or delete Insightly CRM records such as organizations, deals, projects, notes, or files.
The skill documents a raw authenticated API escape hatch, including DELETE and other mutating methods, without visible scoping or confirmation requirements for high-impact CRM changes.
When the available actions don't cover your use case, you can send requests directly to the Insightly API through Membrane's proxy... Common options: ... HTTP method (GET, POST, PUT, PATCH, DELETE).
Use predefined Membrane actions where possible, require explicit user confirmation before POST/PUT/PATCH/DELETE requests, and restrict proxy requests to specific endpoints and records.
Installing and using the skill may authorize the agent, through Membrane, to access and act on Insightly data in the connected account.
The skill relies on delegated Membrane/Insightly authentication and automatic credential refresh, which is expected for this CRM integration but grants account authority.
Membrane handles authentication and credentials refresh automatically... membrane login --tenant --clientName=<agentType>
Authorize only the intended Insightly workspace, use least-privilege access where available, and revoke the Membrane connection when it is no longer needed.
The behavior depends on the current npm package version and its supply chain rather than only on the reviewed SKILL.md.
The documented setup installs the latest Membrane CLI globally from npm; this is central to the skill, but the executable code is not included in the artifact being reviewed.
npm install -g @membranehq/cli@latest
Install from a trusted environment, consider pinning a known CLI version, and review the Membrane CLI package provenance before use.
Business CRM data and request details may pass through Membrane while interacting with Insightly.
CRM requests and responses are routed through Membrane as a provider/proxy layer. This is disclosed and purpose-aligned, but users should understand the data path.
send requests directly to the Insightly API through Membrane's proxy... Membrane automatically... injects the correct authentication headers
Review Membrane's privacy and security posture, and avoid sending unnecessary sensitive CRM data through proxy requests.