Cloze
WarnAudited by ClawScan on May 10, 2026.
Overview
This is a plausible Cloze/Membrane integration, but it gives the agent access to create, update, and delete CRM records without clear confirmation or scoping safeguards.
Only install this if you are comfortable giving Membrane-mediated access to Cloze. Before letting the agent modify data, require it to show the exact records and changes, and confirm any create, update, or delete operation yourself.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent misunderstands a request or selects the wrong record, it could change or delete important Cloze data such as companies, projects, or people.
The skill exposes high-impact Cloze actions that can mutate or delete CRM/business records, but the visible instructions do not require explicit user confirmation, record-scoping, or reversibility checks before using them.
Use action names and parameters as needed. ... Delete Project ... Delete Company ... Update Company ... Create Company
Require explicit user approval before create/update/delete actions, confirm exact record IDs and affected fields, prefer search/read-only steps first, and document whether deleted or changed records can be recovered.
The connected account may allow the agent to view or modify CRM data according to the permissions granted in Cloze and Membrane.
The skill uses delegated Membrane/Cloze authentication and automatic credential refresh. This is expected for a Cloze integration, but it gives the integration ongoing account access.
membrane login --tenant --clientName=<agentType> ... Membrane handles authentication and credentials refresh automatically
Use the least-privileged Cloze account available, review requested scopes and connection permissions, and disconnect or revoke the Membrane connection when it is no longer needed.
A future CLI release could behave differently from the version reviewed here, and a global install affects the user's broader environment.
The skill asks the user to install a global npm CLI package using the moving @latest tag. The CLI is central to the stated purpose, but the exact installed version is not pinned in the artifact.
npm install -g @membranehq/cli@latest
Prefer a pinned CLI version where possible, install from the official package source, and review updates before upgrading.