Zoho Invoice
WarnAudited by ClawScan on May 10, 2026.
Overview
This is a coherent Zoho Invoice integration, but it should be reviewed because it gives an agent broad authenticated access to run direct Zoho Invoice API requests, including write and delete operations.
Install only if you trust Membrane and are comfortable granting access to Zoho Invoice. Before use, require confirmation for any action that creates, updates, sends, charges, pays, or deletes records, and prefer a limited Zoho account or revocable test connection first.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked too broadly or incorrectly, the agent could create, change, or delete invoices, payments, expenses, customers, or other Zoho Invoice records.
This documents a broad authenticated raw API mechanism, including mutating and deleting methods, for a financial/business system without visible limits or approval requirements in the provided artifact.
When the available actions don't cover your use case, you can send requests directly to the Zoho Invoice API through Membrane's proxy... HTTP method (GET, POST, PUT, PATCH, DELETE).
Require explicit user confirmation before any POST, PUT, PATCH, or DELETE request; prefer listed scoped actions over raw proxy calls; limit allowed endpoints and use a least-privilege Zoho account.
The connected account may allow access to sensitive invoices, customers, payments, expenses, and other business records.
The skill relies on delegated Membrane/Zoho authentication and automatic credential refresh, which is expected for the integration but grants sensitive account authority.
Membrane handles authentication and credentials refresh automatically... membrane login --tenant... The user completes authentication in the browser.
Review the Zoho/Membrane authorization scopes, use the least-privileged account available, and revoke the connection when it is no longer needed.
A compromised or unexpectedly changed CLI package could affect the local environment used to manage Zoho Invoice.
The setup asks for a global install of the latest Membrane CLI from npm. This is aligned with the skill purpose, but @latest is unpinned and global installation expands trust in that package.
npm install -g @membranehq/cli@latest
Install from the official Membrane source, consider pinning a reviewed version, and avoid running the CLI with elevated system privileges.