Harvest
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is a coherent Harvest/Membrane integration, but it can access and change business data, uses delegated authentication, and asks users to install an unpinned CLI.
Install only if you trust Membrane and need agent access to Harvest. Verify the CLI package, review OAuth permissions, and require confirmation before the agent creates or updates Harvest records.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could create or modify Harvest users, clients, projects, tasks, or time entries if instructed or if a task is misunderstood.
The skill exposes create/update operations for Harvest business records. This is consistent with a Harvest management integration, but users should confirm high-impact changes.
| Create User | create-user | Creates a new user. | ... | Update Project | update-project | Updates the specific project ... |
Use the skill for intended Harvest tasks, but require explicit confirmation before running create/update actions or changing important business records.
Connecting the skill may let Membrane and the agent act through the authorized Harvest account within the granted permissions.
The integration relies on delegated authentication to Membrane/Harvest. This is expected for the stated purpose, but it grants ongoing account access.
Membrane handles authentication and credentials refresh automatically
Review the Harvest permissions requested during OAuth and revoke the connection if you no longer need the integration.
The installed CLI version may change over time, and a compromised or unexpected package version could affect the integration.
The setup uses a global npm install with the moving @latest tag. This is central to the skill’s operation, but it is not pinned to a reviewed version.
npm install -g @membranehq/cli@latest
Install the CLI only from the official npm package, consider pinning a known version, and verify the publisher before installation.
Harvest account data may be processed through Membrane while actions are listed or run.
Harvest data and authentication flow through Membrane as an intermediary service. This is disclosed and purpose-aligned, but users should understand the data boundary.
This skill uses the Membrane CLI to interact with Harvest.
Use this only if you trust Membrane with the relevant Harvest connection and avoid granting broader Harvest access than needed.