Onepagecrm
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is a coherent OnePageCRM integration, but it gives the agent broad authenticated API access that can modify or delete CRM data without clearly documented approval or scope limits.
Install only if you are comfortable giving Membrane-mediated access to your OnePageCRM account. Before allowing the agent to run write or delete operations, confirm the exact records and endpoint/action it will use, and prefer read-only or predefined actions unless you intentionally want CRM data changed.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent misunderstands a request or is given a bad instruction, it could change or delete CRM records through the authenticated OnePageCRM connection.
The skill gives the agent a raw authenticated API proxy with write and delete methods, rather than limiting it to safer predefined actions or requiring explicit confirmation for destructive operations.
membrane request CONNECTION_ID /path/to/endpoint ... `-X, --method` | HTTP method (GET, POST, PUT, PATCH, DELETE).
Use predefined Membrane actions where possible, require explicit user confirmation before POST/PUT/PATCH/DELETE requests, and restrict the allowed endpoints and actions to the user's stated task.
The connected account may allow the agent to view or modify CRM business data according to the permissions granted during authentication.
The integration requires delegated access to the user's Membrane and OnePageCRM accounts. This is expected for the stated purpose, but it is sensitive account authority.
Membrane handles authentication and credentials refresh automatically ... The user completes authentication in the browser. The output contains the new connection id.
Connect only the intended OnePageCRM account, use the least-privileged account available, review granted permissions, and revoke the connection when no longer needed.
Future versions of the CLI could behave differently from the version reviewed here.
The skill asks users to install a global CLI package using the moving `@latest` version. This is purpose-aligned, but it leaves behavior dependent on the current npm package version.
npm install -g @membranehq/cli@latest
Prefer a pinned, reviewed CLI version where possible, and install it only from the official npm package/source.
CRM data and API requests may pass through Membrane while using this integration.
CRM requests and responses are routed through Membrane as a third-party gateway. This is disclosed and purpose-aligned, but users should understand the data path.
send requests directly to the OnePageCRM API through Membrane's proxy ... injects the correct authentication headers
Review Membrane's data handling terms and avoid sending unnecessary sensitive CRM data through proxy requests.