v1.0.4

Lemon Squeezy

ReviewClawScan verdict for this skill. Analyzed Apr 30, 2026, 3:43 PM.

Analysis

This integration has a legitimate Lemon Squeezy purpose, but it asks for delegated account access, an unpinned global CLI install, and high-impact store actions without clear approval boundaries.

GuidanceInstall only if you trust Membrane and are comfortable granting it access to your Lemon Squeezy account. Pin and verify the CLI before installing, use the least-privileged account or store connection possible, and require explicit confirmation before any checkout, customer update, purchase, or subscription cancellation.

Findings (7)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agent Goal Hijack

SeverityMediumConfidenceHighStatusConcern

SKILL.md

`clientAction.agentInstructions` (optional) — instructions for the AI agent on how to proceed programmatically.

The skill tells the agent to consume instructions returned from an external connection workflow, but does not bound those instructions as advisory or subordinate to the user's request.

User impactA returned connector instruction could steer the agent's next steps in ways the user did not explicitly request.

RecommendationTreat returned agent instructions as untrusted guidance; show them to the user when they affect behavior and only follow them within the user's explicit goal.

Tool Misuse and Exploitation

SeverityHighConfidenceHighStatusConcern

SKILL.md

Create Customer ... Update Customer ... Cancel Subscription | cancel-subscription | Cancels an active subscription.

The skill exposes mutating Lemon Squeezy operations, including destructive subscription cancellation, without visible approval, dry-run, or scope limits.

User impactAn agent mistake or overly broad request could change customer records or cancel real customer subscriptions.

RecommendationRequire explicit user confirmation for any create, update, purchase, checkout, or cancellation action, and limit actions to user-specified store IDs and object IDs.

Agentic Supply Chain Vulnerabilities

SeverityMediumConfidenceHighStatusConcern

SKILL.md

npm install -g @membranehq/cli@latest

The skill instructs installation of a globally available npm package using the moving @latest tag, despite having no formal install spec or pinned version.

User impactThe installed CLI could change over time, affect the local environment globally, or introduce package supply-chain risk.

RecommendationUse a pinned CLI version, verify the package source, avoid global installation where possible, and prefer a reviewed install spec.

Unexpected Code Execution

SeverityLowConfidenceHighStatusNote

SKILL.md

npx @membranehq/cli connection get <id> --wait --json

The integration relies on local command execution through npm/npx tooling. This is purpose-aligned for a CLI-based integration, but users should know it executes local tooling.

User impactUsing the skill may run local CLI commands and potentially download or execute npm-provided code.

RecommendationRun the commands only in a trusted environment, prefer pinned versions, and review commands before executing them.

Cascading Failures

SeverityHighConfidenceHighStatusConcern

SKILL.md

Cancel Subscription | cancel-subscription | Cancels an active subscription.

A single wrong action or identifier can affect a real customer subscription in an external commerce system, and no containment or confirmation requirement is stated.

User impactA mistaken action could disrupt billing, revenue, or customer access.

RecommendationAdd explicit confirmation for destructive actions, show the exact target subscription/customer before acting, and prefer read-only or dry-run steps first.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceHighStatusConcern

SKILL.md

Membrane handles authentication and credentials refresh automatically

The skill delegates and refreshes account credentials for an e-commerce platform, but the artifacts do not describe OAuth scopes, tenant limits, revocation, or least-privilege boundaries.

User impactThe integration may retain broad delegated access to Lemon Squeezy data and account actions after initial setup.

RecommendationReview the OAuth scopes and Membrane tenant connection, grant the minimum needed permissions, and revoke the connection when no longer needed.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityMediumConfidenceHighStatusNote

SKILL.md

This skill uses the Membrane CLI to interact with Lemon Squeezy. Membrane handles authentication and credentials refresh automatically

The skill routes Lemon Squeezy interaction and credential handling through Membrane as an external gateway/provider. This is disclosed and purpose-aligned, but it creates a third-party data and identity boundary.

User impactLemon Squeezy account data and authentication flows may be mediated by Membrane rather than only by the local agent and Lemon Squeezy.

RecommendationUse a trusted Membrane tenant, review Membrane's access and privacy expectations, and avoid connecting accounts with broader permissions than needed.