Paymill
WarnAudited by ClawScan on May 10, 2026.
Overview
This appears to be a real Membrane/PAYMILL integration, but it gives broad authenticated control over payment-gateway actions and raw API calls without clear confirmation or scope limits.
Install only if you intend an agent to access a PAYMILL account through Membrane. Use a test or least-privilege account, confirm every payment/refund/subscription or other write operation before it runs, avoid raw proxy requests unless necessary, and revoke the connection when finished.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used incorrectly, the agent could modify payment, refund, subscription, transaction, or other business records through the connected PAYMILL account.
The skill exposes generic action execution and a raw authenticated API proxy for a payment gateway, including write and delete methods, without artifact-backed limits or confirmation steps.
`membrane action run <actionId> --connectionId=CONNECTION_ID --json` ... `membrane request CONNECTION_ID /path/to/endpoint` ... `HTTP method (GET, POST, PUT, PATCH, DELETE)`
Require explicit user confirmation for any create, update, delete, payment, refund, or subscription action; prefer scoped Membrane actions over raw proxy requests; and review action schemas and payloads before execution.
Connecting a real payment account could let the agent act with the account's payment-gateway permissions until the connection is revoked or limited elsewhere.
The skill relies on delegated authenticated access and credential refresh for direct PAYMILL API calls, but the artifact does not bound the credential scope, account permissions, or revocation model.
Membrane handles authentication and credentials refresh automatically ... injects the correct authentication headers
Use a least-privilege or test PAYMILL connection where possible, verify which account is connected, and revoke the Membrane connection when it is no longer needed.
A future CLI release or compromised package source could affect what commands do on the user's machine.
The setup uses a globally installed npm package pinned to latest, which is expected for a CLI-based integration but can change behavior over time.
npm install -g @membranehq/cli@latest
Install the CLI only from the trusted npm package source, consider pinning a reviewed version, and keep normal package-manager security hygiene.
Provider-returned or connector-returned instructions could influence the agent's next steps during setup.
The skill tells the agent that connection responses may include additional agent instructions. This can be useful setup guidance, but should not override the user's goal or safety checks.
`clientAction.agentInstructions` (optional) — instructions for the AI agent on how to proceed programmatically
Treat returned agent instructions as advisory context, ignore unrelated instructions, and ask the user before following instructions that change scope or perform sensitive actions.