ClawHub
Back to skill
v1.0.4

Airbyte

ReviewClawScan verdict for this skill. Analyzed Apr 30, 2026, 4:18 PM.

Analysis

This looks like a real Airbyte integration, but it gives the agent broad Airbyte account powers and relies on an unpinned global CLI install without clear approval or scope limits.

GuidanceBefore installing, confirm you trust Membrane and the npm CLI package, use a least-privileged Airbyte account, avoid production workspaces until tested, and require explicit confirmation before the agent creates or updates Airbyte resources or sends proxy API requests.

Findings (8)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agent Goal Hijack
SeverityLowConfidenceMediumStatusNote
SKILL.md
`clientAction.agentInstructions` (optional) — instructions for the AI agent on how to proceed programmatically.

The skill allows instructions returned by an external connection workflow to guide the agent. This may be useful, but the artifact does not tell the agent to treat those dynamic instructions as untrusted or subordinate to the user's request.

User impactAn external service response could influence how the agent proceeds during connection setup.
RecommendationTreat returned agent instructions as suggestions only, and confirm any step that changes account data, credentials, or permissions.
Tool Misuse and Exploitation
SeverityHighConfidenceHighStatusConcern
SKILL.md
Create Connection ... Create Destination ... Create Source ... Create Workspace ... Update Connection ... Update Workspace

The listed actions include broad Airbyte administrative mutations. The instructions also show generic `membrane action run` usage, but do not require explicit user approval for create/update operations.

User impactThe agent could make significant changes to Airbyte configuration, data pipeline connections, or workspaces if invoked too broadly.
RecommendationRequire explicit user confirmation for create, update, delete, sync, or proxy API actions, and restrict actions to a named workspace or connection when possible.
Agentic Supply Chain Vulnerabilities
SeverityMediumConfidenceHighStatusConcern
SKILL.md
npm install -g @membranehq/cli@latest

The skill depends on a globally installed npm package using the moving `@latest` tag. That is not pinned to a reproducible version and is only introduced in runtime instructions rather than an install specification.

User impactA future or compromised CLI release could change what runs on the user's machine when following the skill instructions.
RecommendationPin the CLI to a reviewed version, avoid global installation where possible, and verify the package source before installing.
Unexpected Code Execution
SeverityLowConfidenceHighStatusNote
SKILL.md
npx @membranehq/cli connection get <id> --wait --json

The skill instructs shell execution of a CLI through npm/npx. This is purpose-aligned for a CLI-based integration, but users should recognize that it executes external package code.

User impactFollowing the instructions runs local command-line code from the Membrane npm package.
RecommendationRun these commands only in an environment where installing and executing the Membrane CLI is acceptable.
Cascading Failures
SeverityMediumConfidenceHighStatusConcern
SKILL.md
Airbyte ... consolidate data from different sources into data warehouses, data lakes, and databases.

Airbyte manages data pipelines that can affect downstream data stores. The skill also exposes create/update operations, so a mistaken action can propagate beyond a single API call.

User impactA bad configuration change could affect data movement into warehouses, lakes, databases, or other connected systems.
RecommendationConfirm pipeline-changing actions, test in a non-production workspace first, and keep rollback details for changed connections or destinations.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityHighConfidenceHighStatusConcern
SKILL.md
Membrane handles authentication and credentials refresh automatically

The skill relies on delegated authentication and automatic credential refresh. Combined with Airbyte create/update capabilities, this grants continuing account authority that is not clearly scoped or bounded in the artifact.

User impactInstalling and using the skill may let the agent act with ongoing Airbyte/Membrane-authorized access, including account or pipeline changes.
RecommendationUse the least-privileged Airbyte/Membrane account possible, review granted scopes, and revoke the connection when the task is complete.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning
SeverityLowConfidenceMediumStatusNote
SKILL.md
`clientAction.agentInstructions` (optional) — instructions for the AI agent on how to proceed programmatically.

The agent may ingest dynamic instructions from connection state. That is useful for setup, but it creates a context channel that should not be over-trusted.

User impactReturned setup instructions could influence the agent's later decisions if treated as authoritative.
RecommendationKeep external setup instructions scoped to the current task and do not let them override user instructions or safety checks.
Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
SKILL.md
Membrane automatically appends the base URL to the path you provide and injects the correct authentication headers

The skill routes Airbyte API access through the Membrane proxy/gateway, which mediates authenticated requests. This is disclosed and purpose-aligned, but users should understand that data and authorized requests pass through that provider.

User impactAirbyte request data and authenticated API operations may be mediated by Membrane rather than going directly from the user to Airbyte.
RecommendationReview Membrane's trust boundary and only connect accounts whose data may be routed through that service.