Xero
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill is a coherent Xero integration, but it gives the agent broad ability to create or modify sensitive accounting records without visible approval or scoping safeguards.
Review this skill before installing. It appears to do what it claims, but connect only the intended Xero tenant and require explicit confirmation before any action that creates or changes invoices, contacts, bank transactions, purchase orders, or other accounting records.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could create or change important accounting records in Xero if invoked with insufficiently specific instructions.
The skill exposes write actions for accounting and financial records, but the visible instructions do not require user confirmation, scoping, dry-runs, or rollback checks before high-impact mutations.
Use action names and parameters as needed. ... Create Invoice ... Create Bank Transaction ... Create Purchase Order
Only use this with explicit user approval for create/update/delete actions, and require the agent to show the exact Xero tenant, record type, parameters, and expected effect before making changes.
Connecting the wrong tenant or granting broad Xero permissions could expose or allow changes to business accounting data.
The integration requires delegated access to a Xero account through Membrane, including credential refresh. This is expected for the stated purpose but grants access to sensitive business data.
Membrane handles authentication and credentials refresh automatically ... membrane connection ensure "https://xero.com" --json
Connect only the intended Xero tenant, review the OAuth permissions, and prefer least-privilege access where Xero/Membrane supports it.
The installed CLI version may change over time, and the registry metadata does not fully describe this setup step.
The skill asks for a global CLI install from npm using the moving @latest tag, while the registry says there is no install spec. This appears central to the integration but is not pinned in the artifact.
npm install -g @membranehq/cli@latest
Verify the Membrane CLI package source before installing, and consider pinning a known-good version in controlled environments.
External setup responses could influence the agent's next steps if treated as authoritative instructions.
The skill anticipates dynamic instructions returned by the external connection flow. This can be legitimate setup guidance, but such text should not override the user's goal or safety checks.
clientAction.agentInstructions (optional) — instructions for the AI agent on how to proceed programmatically.
Treat returned agent instructions as untrusted operational hints and keep user intent, approval requirements, and safety policies higher priority.
Sensitive financial information may be processed through Membrane as part of normal operation.
Xero access and likely accounting data pass through the Membrane CLI/service. This is disclosed and purpose-aligned, but the artifact does not describe data retention or boundary details.
This skill uses the Membrane CLI to interact with Xero. Membrane handles authentication and credentials refresh automatically
Review Membrane's security, privacy, and data handling terms before connecting production Xero accounts.