Exact Online
Security checks across malware telemetry and agentic risk
Overview
This appears to be a real Exact Online/Membrane integration, but it can access and create sensitive accounting records without clear guardrails for write operations.
Install only if you trust Membrane with your Exact Online account and data. Before using it, confirm the exact organization/tenant being connected, use the least-privileged account available, and require a manual review before any invoice, order, purchase, contact, account, or other write operation is executed.
VirusTotal
65/65 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an agent misinterprets a request or acts too broadly, it could create real business or accounting records in Exact Online.
The skill exposes broad, dynamic action use for an accounting/ERP system, including creation of financial and CRM records, but the visible instructions do not require confirmation, scoping, or rollback guidance for write actions.
Use action names and parameters as needed. ... Create Account | create-account ... Create Sales Invoice | create-sales-invoice
Require explicit user confirmation before any create, update, delete, invoice, order, payment, or purchase-related action, including the connection, action name, parameters, and expected effect.
The connected Membrane/Exact Online account may remain usable until the user revokes access, and actions will run with that account's permissions.
The integration requires delegated login and ongoing credential refresh through Membrane, which is expected for Exact Online access but gives the connected account continuing authority.
Membrane handles authentication and credentials refresh automatically ... membrane login --tenant --clientName=<agentType>
Use a least-privileged Exact Online account where possible, review OAuth scopes and Membrane access, and revoke the connection when it is no longer needed.
Future CLI versions could behave differently from the version reviewed by the user.
The setup depends on installing the latest global Membrane CLI from npm; this is disclosed and purpose-aligned, but the exact package version is not pinned in the skill artifact.
npm install -g @membranehq/cli@latest
Install from a trusted environment, consider pinning a known CLI version, and verify the package source before use.
Business, CRM, invoice, and accounting data may pass through the Membrane service as part of normal operation.
Exact Online requests, responses, and authentication flows are routed through Membrane as an external integration provider, which is expected but important for sensitive accounting data.
Requires network access and a valid Membrane account ... This skill uses the Membrane CLI to interact with Exact Online.
Review Membrane's security and privacy terms and avoid using the skill with data or tenants that should not be processed through that provider.