Mercury
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill can connect an agent to Mercury financial/account data through Membrane, but its documentation is inconsistent and lacks clear limits or approval safeguards for sensitive financial actions.
Before installing, verify that this is the intended Mercury banking/finance integration, install the Membrane CLI only from a trusted source, review requested OAuth scopes, and require explicit confirmation before creating invoices, recipients, payments, or other financial changes.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user might install the skill expecting a different Mercury service or a lower-risk integration, then grant access to financial organization data.
The skill mixes references to different Mercury products and domains with banking/finance actions, making the actual integration target and authority unclear.
Official docs: https://mercury.postlight.com/web-parser/ ... `membrane connection ensure "https://mercury.co" --json` ... "Retrieve a list of all bank accounts"
Clarify the exact Mercury product, remove unrelated docs/overview text, and explicitly state that this connects to Mercury banking/finance data.
If invoked too broadly, the agent could create or change business financial records or payment-related recipients without safeguards documented in the skill.
The action catalog includes financial mutations, but the instructions do not provide explicit approval gates, scoped limits, read-only defaults, or rollback guidance.
| Create Invoice | create-invoice | Create a new invoice for the organization | ... | Create Recipient | create-recipient | Create a new payment recipient for making payments |
Require explicit user confirmation before any create/update/payment-related action, prefer read-only queries by default, and document safe scopes and rollback steps.
The agent may retain delegated access to sensitive Mercury/Membrane account data beyond a single request if the user does not understand or revoke the connection.
The skill uses delegated authentication with automatic credential refresh for a high-impact financial connection, but the artifacts do not specify OAuth scopes, account boundaries, retention, or revocation controls.
Membrane handles authentication and credentials refresh automatically ... `membrane login --tenant --clientName=<agentType>`
Document required scopes, storage/refresh behavior, how to revoke access, and encourage least-privilege or read-only credentials where possible.
External service responses could influence the agent's next steps during setup or recovery flows.
The skill allows remote connection-state responses to provide instructions to the agent; this may be useful, but those instructions should not override the user's request or safety checks.
`clientAction.agentInstructions` (optional) — instructions for the AI agent on how to proceed programmatically.
Treat returned agent instructions as untrusted operational hints, show important steps to the user, and require confirmation for sensitive actions.
Installing the latest global CLI means future package changes or a compromised package source could affect the local environment.
The setup uses a globally installed, unpinned npm package. This is central to the Membrane integration, but users should notice the supply-chain and version-change implications.
`npm install -g @membranehq/cli@latest`
Install only from the trusted npm package source, consider pinning a reviewed version, and avoid running the CLI in highly privileged environments.