Maintainx
ReviewAudited by ClawScan on May 10, 2026.
Overview
This appears to be a real MaintainX integration, but it gives the agent broad authenticated API/proxy power that could change MaintainX business data without clear approval boundaries.
Only install this if you are comfortable giving the agent access to your MaintainX account through Membrane. Use a least-privileged account, pin or verify the CLI package if possible, and require explicit confirmation before any action that creates, updates, deletes, purchases, changes billing, or modifies users/settings.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or overly broad request could modify or delete MaintainX work orders, assets, users, billing/settings data, or other business records.
The skill documents a raw authenticated API proxy that can use mutating methods against arbitrary MaintainX endpoints, without showing clear user-confirmation, endpoint allowlisting, or rollback guidance.
membrane request CONNECTION_ID /path/to/endpoint ... HTTP method (GET, POST, PUT, PATCH, DELETE) ... injects the correct authentication headers
Require explicit user confirmation for every POST, PUT, PATCH, DELETE, purchase-order, billing, user, or settings action, and prefer narrowly scoped discovered actions over raw proxy requests.
The agent may be able to act with the permissions of the connected MaintainX account until the connection is revoked.
The skill requires delegated Membrane/MaintainX authentication and automatic credential refresh. This is expected for the integration, but it gives the agent access through the connected account.
Membrane handles authentication and credentials refresh automatically ... membrane login --tenant --clientName=<agentType>
Use a least-privileged MaintainX account or connection, review what permissions are granted, and revoke the Membrane connection when finished.
Installing the latest global CLI gives local execution privileges to whatever version npm resolves at install time.
The setup uses a globally installed npm package at the moving @latest version. This is normal for a CLI-based integration, but it means the executed CLI code may change over time.
npm install -g @membranehq/cli@latest
Install from the official package source, consider pinning a reviewed version, and avoid running the CLI with unnecessary elevated privileges.