Moneybird
Analysis
The skill appears to be a real Moneybird connector, but it asks for persistent accounting-account access and unpinned external CLI execution while giving the agent broad financial write actions without clear approval limits.
Findings (8)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.
`clientAction.agentInstructions` (optional) — instructions for the AI agent on how to proceed programmatically.
The skill allows instructions returned by an external connection flow to guide the agent. This is purpose-aligned for setup, but those instructions should not override the user's request or safety checks.
Use action names and parameters as needed. ... Create Sales Invoice ... Create Contact ... Create Product ... Update Sales Invoice
The skill exposes broad Moneybird actions, including financial record creation and updates, without specifying approval gates, dry-runs, limits, or rollback procedures.
npm install -g @membranehq/cli@latest
The skill instructs a global install of the latest version of an external npm package, which is unpinned and outside the provided install specification.
npx @membranehq/cli connection get <id> --wait --json
The skill requires running an external CLI from the local terminal. This is consistent with the stated integration approach, but it is still local code execution users should notice.
`List Administrations` ... all administrations the authenticated user has access to ... `Create Sales Invoice` ... Create a new sales invoice
The agent can operate across all accessible administrations and perform financial create/update actions, so a wrong administration ID or parameter could propagate into real cloud accounting records.
Membrane handles authentication and credentials refresh automatically — so you can focus on the integration logic rather than auth plumbing.
The wording frames credential handling as automatic and convenient. That is not inherently deceptive, but users should still understand that persistent credential handling is sensitive.
Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.
Membrane handles authentication and credentials refresh automatically ... List Administrations ... all administrations the authenticated user has access to
The skill relies on persistent delegated access to the user's Moneybird/Membrane account and can enumerate all accessible administrations, but does not describe least-privilege scopes or expiry.
Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.
Use `membrane connection ensure` to find or create a connection by app URL or domain ... If no app is found, one is created and a connector is built automatically.
The skill routes authentication and Moneybird operations through a Membrane gateway/connector flow. This is purpose-aligned, but connector origin, permissions, and financial data boundaries should be verified.