ClawHub
Back to skill
v1.0.4

Ambivo

ReviewClawScan verdict for this skill. Analyzed Apr 30, 2026, 4:20 PM.

Analysis

Ambivo appears to be a legitimate integration, but it asks the agent to install and run an unpinned CLI, authenticate with persistent credentials, and perform broad business-data changes without clear approval or scope limits.

GuidanceBefore installing or using this skill, confirm you trust Membrane and the npm CLI package, pin the CLI version if possible, connect only a least-privileged Ambivo account, and require explicit confirmation before the agent creates or updates any Ambivo records.

Findings (7)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agent Goal Hijack
SeverityMediumConfidenceHighStatusConcern
SKILL.md
clientAction.agentInstructions (optional) — instructions for the AI agent on how to proceed programmatically.

The skill tells the agent to consume instructions returned by an external connection workflow, but does not say to treat them as advisory, validate them against the user request, or ignore conflicting instructions.

User impactThe agent could follow service-provided instructions that redirect setup or actions beyond what the user intended.
RecommendationOnly follow returned agent instructions when they are directly necessary for the user's request, show them to the user when they affect account data or permissions, and ignore any instruction that conflicts with the user or system policy.
Tool Misuse and Exploitation
SeverityHighConfidenceHighStatusConcern
SKILL.md
Create Order ... Create Lead ... Update Order ... Update Lead ... membrane action run <actionId> --connectionId=CONNECTION_ID --json

The skill exposes broad create and update actions through a generic action runner, but the instructions do not require explicit confirmation, scoping, dry-run behavior, or safeguards before mutating Ambivo records.

User impactA mistaken or overbroad agent action could create or change orders, invoices, deals, contacts, or leads in the user's Ambivo account.
RecommendationRequire explicit user confirmation for create/update/delete-style actions, limit actions to the requested records, and prefer read-only queries unless the user clearly asks for a mutation.
Agentic Supply Chain Vulnerabilities
SeverityMediumConfidenceHighStatusConcern
SKILL.md
npm install -g @membranehq/cli@latest

The runtime instructions install a global npm package using the moving @latest tag, so the executed code is not pinned to a reviewed version.

User impactA future or compromised package release could change what code is installed and run on the user's machine.
RecommendationPin the CLI to a known-good version, verify the package source and publisher, and avoid global installs when a temporary or isolated installation is sufficient.
Unexpected Code Execution
SeverityMediumConfidenceHighStatusConcern
SKILL.md
npx @membranehq/cli connection get <id> --wait --json

The skill instructs the agent to execute CLI code via npx at runtime; combined with the unpinned install guidance, this can run downloaded code outside the static skill artifacts.

User impactThe user's local environment may execute code that was not included in the reviewed skill package.
RecommendationInstall a pinned CLI version from a trusted source before use, avoid on-demand npx execution where possible, and run commands in a constrained environment.
Cascading Failures
SeverityMediumConfidenceHighStatusConcern
SKILL.md
Ambivo is a customer data platform (CDP) ... used by marketing, sales, and customer service teams

The skill operates on shared customer-data systems used by multiple business teams; erroneous create/update actions could propagate into downstream sales, marketing, or support workflows.

User impactIncorrect updates could affect shared customer records, reporting, automations, or customer-facing processes.
RecommendationUse small, specific operations; review affected records before making changes; and require confirmation for bulk or business-impacting updates.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityHighConfidenceHighStatusConcern
SKILL.md
Membrane handles authentication and credentials refresh automatically

The skill relies on authenticated Membrane/Ambivo account access with automatic credential refresh, but the artifacts do not define least-privilege scopes, credential lifetime, or boundaries on what the agent may do with that authority.

User impactThe agent may act with the user's Ambivo/Membrane account authority and retain usable connection credentials longer than the immediate task requires.
RecommendationUse a least-privileged Ambivo/Membrane account, review requested scopes during login, revoke the connection after use if not needed, and avoid granting administrative access unless required.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
SKILL.md
If no app is found, one is created and a connector is built automatically.

The skill uses Membrane as an external connection and connector layer, including automatic connector creation, so users should understand that Ambivo access and action mediation occur through that provider workflow.

User impactAmbivo data and authentication workflows may pass through Membrane-managed connection infrastructure rather than only direct Ambivo interactions.
RecommendationReview Membrane's connection permissions and privacy terms, and only connect accounts whose data you are comfortable routing through this integration layer.