Lattice
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is not clearly malicious, but it gives an agent broad, poorly bounded authority over sensitive HR/business data through a Membrane/Lattice account.
Review this skill carefully before use. Only connect it to a least-privilege Membrane/Lattice account, require explicit approval for any changes to HR or organizational records, and do not rely on the broad listed data categories unless the provider documents them as supported.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill could make or guide changes to sensitive personnel or organizational records without clearly documented boundaries.
This grants broad management authority over business/HR records, but the provided artifacts do not define operation limits, approval requirements, read-only defaults, or safe handling for write actions.
description: | Lattice integration. Manage Persons, Organizations, Roles, Activities, Notes, Files.
Use only with explicit user confirmation for any write action, and document supported operations, least-privilege account scope, and rollback expectations.
Users may trust the skill to handle categories of sensitive financial, medical, or security-related data that are not clearly justified by the stated Lattice purpose.
The overview presents many highly sensitive and apparently unrelated data categories as part of the Lattice integration, which can mislead users or agents about the skill's real scope.
Lattice Overview ... Medical Record ... Payroll ... Bank Account ... Credit Card ... National Security
Narrow the documented object list to verified Lattice entities and clearly exclude unsupported or unrelated sensitive data categories.
The skill may operate with whatever Lattice or Membrane permissions the connected account has.
Account-backed network access is expected for this integration, but it is sensitive authority and registry metadata lists no primary credential or env vars.
compatibility: Requires network access and a valid Membrane account (Free tier supported).
Connect only a least-privilege account and verify what Membrane/Lattice permissions are granted before allowing updates.