v1.0.3

Ogment

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 6:24 AM.

Analysis

This is a coherent Ogment integration skill, but it can give the agent broad access to connected email, workspace, and database tools, so it should be reviewed carefully before installation.

GuidanceTreat this as a powerful integration skill rather than a simple helper. Before installing, review which SaaS accounts are connected to Ogment, limit scopes wherever possible, avoid production database access unless necessary, and require explicit confirmation before the agent sends messages, edits records, runs SQL, deletes data, or performs other irreversible actions.

Findings (6)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityHighConfidenceHighStatusConcern

SKILL.md

ogment invoke <serverId> <toolName> --input '<json>'

The skill exposes a generic invocation pattern for arbitrary discovered MCP tools and JSON inputs, without documenting confirmation requirements or limits for high-impact actions.

User impactAfter Ogment access is approved, the agent may be able to call many connected tools, including tools that read or change business data, workspace content, email, or databases.

RecommendationInstall only if you trust the Ogment account configuration, and require explicit user confirmation for any write, send, delete, SQL, or account-changing action.

Tool Misuse and Exploitation

SeverityHighConfidenceHighStatusConcern

SKILL.md

ogment invoke <server> Supabase_execute_sql --input '{"query": "SELECT * FROM users LIMIT 5"}'

The documented examples include a raw SQL execution tool. Even though the example query is read-only, an execute_sql interface is high-impact unless tightly scoped and approval-gated.

User impactA database SQL tool could expose sensitive records or, depending on permissions, modify or delete production data.

RecommendationRestrict database credentials to read-only where possible, avoid production databases by default, and require explicit review for every SQL query.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

SKILL.md

package: "@ogment-ai/cli"

The skill installs and relies on an external CLI package, and the install specification does not pin a package version. This is expected for the skill’s purpose but still affects trust and provenance.

User impactThe behavior of the skill depends on the installed Ogment CLI package rather than code included in the skill artifact.

RecommendationInstall from trusted package sources, prefer pinned or audited versions where available, and keep the CLI updated according to Ogment’s guidance.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceHighStatusConcern

SKILL.md

Access your connected SaaS tools (Linear, Notion, Gmail, Slack, Supabase, etc.) through Ogment's governance layer.

The skill depends on delegated access to multiple third-party accounts and services, including sensitive email, workspace, and database systems.

User impactThe agent may operate with the user’s or organization’s connected-service permissions, which can expose private messages, documents, tickets, and database data.

RecommendationReview Ogment scopes, connected integrations, and organization policies before enabling this skill; use least-privilege connections and disconnect services not needed for the task.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusConcern

SKILL.md

ogment auth status ... ogment auth login ... Approve Ogment access

The skill requires an Ogment login and approval flow, but the registry metadata declares no primary credential or required environment variables, so the sensitive delegated-auth dependency is under-declared.

User impactA user may underestimate that installing or using the skill involves granting an authenticated Ogment session capable of reaching connected services.

RecommendationMake the credential/session requirement explicit to users and document how to revoke Ogment CLI access.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityMediumConfidenceMediumStatusNote

SKILL.md

Invoke MCP tools via Ogment CLI — secure access to Linear, Notion, Gmail, PostHog, and 100+ SaaS integrations through Ogment's governance layer.

The skill routes agent actions through an MCP/gateway-style integration layer to many external services. This is disclosed and purpose-aligned, but users should understand the data boundary.

User impactPrompts, tool inputs, and tool results may involve sensitive SaaS data moving through Ogment and connected provider systems.

RecommendationConfirm Ogment’s data handling, logging, retention, and access-control policies before using the skill with sensitive workspaces or personal accounts.