Sales Simplify
Security checks across static analysis, malware telemetry, and agentic risk
Overview
Sales Simplify looks like a disclosed Membrane connector, but it needs review because it allows authenticated raw API calls that could change or delete CRM data without built-in guardrails.
Install only if you are comfortable with Membrane handling the Sales Simplify connection. Use least-privileged access, verify the CLI package, and require explicit approval before the agent runs any raw API request that creates, updates, or deletes CRM data.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent uses the wrong endpoint or payload, it could create, change, or delete Sales Simplify CRM records.
The skill exposes a broad authenticated API escape hatch, including destructive methods such as DELETE, without documented scoping, confirmation, or rollback guidance.
When the available actions don't cover your use case, you can send requests directly to the Sales Simplify API through Membrane's proxy... HTTP method (GET, POST, PUT, PATCH, DELETE).
Prefer pre-built Membrane actions, require explicit user confirmation before POST/PUT/PATCH/DELETE requests, and verify endpoints and payloads before running raw proxy commands.
The connected Membrane account can act on the user's Sales Simplify data according to the permissions granted during authentication.
The skill relies on delegated Membrane/Sales Simplify authentication and automatic credential refresh, which is expected for the integration but grants account-level authority through the connected service.
Membrane handles authentication and credentials refresh automatically... Membrane automatically... injects the correct authentication headers
Connect only the intended account, use the least-privileged Sales Simplify access available, and revoke the Membrane connection when it is no longer needed.
Installing a global CLI gives that package local executable access on the user's system.
The setup asks the user to install a global npm CLI. This is central to the skill's purpose and user-directed, but global CLI installation introduces normal package-provenance risk.
npm install -g @membranehq/cli
Verify the npm package and publisher, consider pinning a known version, and install it only in an environment where running the Membrane CLI is acceptable.