Lmnt
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is broadly an LMNT/Membrane integration, but its stated purpose is inconsistent and it allows broad authenticated API requests, including write/delete operations, without clear scoping guidance.
Before installing, confirm which LMNT service this is meant to connect to and what data it can access. If you use it, prefer listed/discovered actions and require explicit confirmation before any POST, PUT, PATCH, or DELETE proxy request.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user or agent may connect the wrong service or grant access under an incorrect understanding of what data the skill manages.
This conflicts with the provided skill description claiming the skill manages Leads, Persons, Organizations, Deals, Projects, and Pipelines, making the intended LMNT product and data scope ambiguous.
LMNT is an electrolyte drink mix formulated with a salty taste... LMNT Overview - Element - Property - Material - Project - Report - Task - User
Clarify the target LMNT product, API domain, and supported object types before installation or use.
An agent could make broad account-changing API calls if it chooses the wrong endpoint or method.
The skill exposes a raw authenticated API escape hatch with mutating and destructive methods, but does not define approval, scope, or safety checks for high-impact actions.
you can send requests directly to the LMNT API through Membrane's proxy... Flag ... HTTP method (GET, POST, PUT, PATCH, DELETE)
Prefer discovered Membrane actions, require explicit user confirmation for write/delete requests, and document safe endpoint boundaries.
The connected account may remain accessible to the integration until revoked or disconnected.
The skill requires delegated account authentication and persistent credential refresh through Membrane, which is expected for the integration but important for users to notice.
membrane login --tenant --clientName=<agentType> ... Membrane handles authentication and credentials refresh automatically
Use the least-privileged LMNT/Membrane account available and confirm how to revoke the connection.
The behavior depends on an external package version that may change after the skill review.
The skill relies on installing a global npm CLI at the latest version rather than a pinned version. This is coherent with the Membrane workflow, but it leaves the exact installed code outside the reviewed artifact.
npm install -g @membranehq/cli@latest
Verify the Membrane CLI package source and consider using a pinned version in controlled environments.