Microsoft Dynamics 365 Business Central
ReviewAudited by ClawScan on May 10, 2026.
Overview
This appears to be a legitimate Business Central integration, but it gives an agent broad OAuth-backed access to sensitive ERP actions without clear approval or scope limits.
Install only if you are comfortable giving Membrane and the agent access to your Microsoft Dynamics 365 Business Central tenant. Use a least-privilege account, avoid production write permissions unless necessary, and require explicit confirmation for any action that changes invoices, orders, purchases, customers, vendors, employees, ledgers, or company settings.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent could be given broad ability to operate on Business Central data, including finance, customer, invoice, sales order, or purchasing-related workflows, without clear built-in guardrails.
The skill directs the agent to discover and use Membrane actions dynamically for a sensitive ERP system, but the visible instructions do not require user confirmation, read-only mode, or other limits before potentially impactful actions.
Use action names and parameters as needed. ... membrane action list --connectionId=CONNECTION_ID --intent "QUERY" --limit 10 --json
Use only with a least-privilege Business Central/Membrane account and require explicit user approval before creating, updating, deleting, invoicing, ordering, purchasing, or otherwise changing business records.
The agent may act with the permissions of the authenticated Membrane/Microsoft Business Central connection.
The skill uses delegated authentication and credential refresh for the integration. This is expected, but it grants persistent account access through Membrane.
Membrane handles authentication and credentials refresh automatically ... membrane login --tenant --clientName=<agentType>
Authenticate with the narrowest suitable account, review granted scopes/roles, and revoke the Membrane connection when no longer needed.
The installed CLI version may change over time, and the user is trusting the npm package and its global installation behavior.
The skill requires a global npm CLI install using '@latest'. This setup is purpose-aligned, but it is unpinned and not represented as a formal install spec.
npm install -g @membranehq/cli@latest
Install from a trusted environment, consider pinning a known-good version, and review the Membrane CLI package before installing globally.
Provider-returned instructions could influence how the agent proceeds during setup or connection handling.
The skill allows dynamic instructions returned by the external Membrane connection flow to guide the agent. This may be legitimate integration plumbing, but such instructions should not override the user's intent or safety checks.
clientAction.agentInstructions (optional) — instructions for the AI agent on how to proceed programmatically.
Treat returned agentInstructions as untrusted operational hints; do not let them override user requests, approval requirements, or security policy.
Business Central account access and possibly business data may pass through or be mediated by Membrane.
The integration routes authentication and Business Central operations through Membrane. This is disclosed and expected, but it introduces a third-party provider boundary for sensitive business data and credentials.
This skill uses the Membrane CLI to interact with Microsoft Dynamics 365 Business Central. Membrane handles authentication and credentials refresh automatically
Review Membrane's trust model, permissions, logging, and data handling before connecting a production Business Central tenant.