Karbon
ReviewAudited by ClawScan on May 10, 2026.
Overview
This looks like a real Karbon integration, but it should be reviewed because it can make broad authenticated changes to Karbon data through Membrane, including raw API requests.
Install only if you trust Membrane and need an agent to operate on Karbon data. Use a least-privileged account, confirm the correct tenant, require approval before create/update/delete/user/role changes, and avoid raw proxy requests unless you have verified the exact endpoint and method.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent could create, change, or delete Karbon business/account records if it chooses the wrong endpoint or runs a destructive request without clear confirmation.
The skill documents an authenticated raw request path, including DELETE, that can bypass curated action schemas and operate directly against the Karbon API.
When the available actions don't cover your use case, you can send requests directly to the Karbon API through Membrane's proxy... injects the correct authentication headers ... HTTP method (GET, POST, PUT, PATCH, DELETE).
Prefer listed Karbon actions over raw proxy calls, and require explicit user confirmation for create, update, delete, user, role, or bulk operations. Verify the endpoint, method, and input before running proxy requests.
The connected Membrane/Karbon account may allow the agent to access or modify sensitive practice-management data.
The integration requires delegated authenticated access through Membrane. This is expected for a Karbon integration, but it gives the CLI/provider ongoing authority to act on the connected account.
membrane login --tenant --clientName=<agentType> ... Membrane handles authentication and credentials refresh automatically
Use the correct tenant and a least-privileged account where possible, monitor connected apps, and revoke the connection when it is no longer needed.
A compromised or changed CLI package would run locally with the user's permissions.
The documented setup installs a global CLI package from npm using the moving @latest tag. This is purpose-aligned, but it introduces normal package provenance and version drift risk.
npm install -g @membranehq/cli@latest
Install only from the trusted npm package, consider pinning a reviewed version, and keep the CLI updated through a controlled process.
If over-trusted, returned instructions could steer the agent's next steps during setup or connection handling.
The skill allows Membrane connection responses to provide procedural instructions to the agent. This is likely intended setup guidance, but remote instructions should not override the user's goal or safety checks.
clientAction.agentInstructions (optional) — instructions for the AI agent on how to proceed programmatically.
Treat returned agent instructions as advisory, keep them limited to the current Karbon connection task, and do not let them override user approval or destructive-action safeguards.