v1.0.4

Backlog

ReviewClawScan verdict for this skill. Analyzed Apr 30, 2026, 4:24 PM.

Analysis

This Backlog skill matches its stated purpose, but it grants broad authenticated Backlog access, supports destructive actions, relies on an unpinned global CLI install, and allows provider-supplied agent instructions.

GuidanceInstall only if you trust Membrane and the npm CLI package. Before use, connect a least-privileged Backlog account if possible, confirm every create/update/delete action, avoid arbitrary proxy calls unless necessary, and revoke the Membrane connection when finished.

Findings (7)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agent Goal Hijack

SeverityMediumConfidenceHighStatusConcern

SKILL.md

`clientAction.agentInstructions` (optional) — instructions for the AI agent on how to proceed programmatically.

The skill tells the agent to use instructions returned by an external connection workflow, but the visible instructions do not bound those instructions as untrusted data or require user confirmation before following them.

User impactA remote connection response could influence what the agent does next, potentially steering it beyond the user's original request.

RecommendationTreat provider-returned agent instructions as suggestions only; confirm with the user before following any instruction that changes scope, performs writes, or requests additional access.

Tool Misuse and Exploitation

SeverityHighConfidenceHighStatusConcern

SKILL.md

Proxy requests ... send requests directly to the Backlog API through Membrane's proxy ... HTTP method (GET, POST, PUT, PATCH, DELETE).

The skill exposes a broad authenticated proxy to the Backlog API, including destructive HTTP methods, without visible safeguards such as per-action approval, project scoping, or rollback guidance.

User impactThe agent could create, update, or delete Backlog data in a real workspace if given or inferred the wrong parameters.

RecommendationRequire explicit user approval for write/delete actions, restrict requests to the intended project or issue, and prefer listed safe actions over arbitrary proxy calls.

Agentic Supply Chain Vulnerabilities

SeverityHighConfidenceHighStatusConcern

SKILL.md

npm install -g @membranehq/cli@latest

The skill asks for a global npm install using `@latest`, which is unpinned and outside the registry's declared no-install-spec posture.

User impactInstalling an unpinned global package can change local tooling behavior over time and runs code from the npm supply chain.

RecommendationUse a pinned, reviewed CLI version and document it in the install specification; avoid global installs when a local or sandboxed invocation is sufficient.

Unexpected Code Execution

SeverityLowConfidenceHighStatusNote

SKILL.md

Install the Membrane CLI so you can run `membrane` from the terminal: `npm install -g @membranehq/cli@latest`

The workflow depends on running an external CLI. That is expected for this integration, but it is still local command execution initiated by the skill instructions.

User impactUsing the skill may run locally installed command-line software, not just passive instructions.

RecommendationInstall and run the CLI only from a trusted environment, and review commands before executing them.

Cascading Failures

SeverityMediumConfidenceHighStatusConcern

SKILL.md

Delete Issue | delete-issue ... Update Issue | update-issue ... Create Issue | create-issue

The skill can mutate shared project-management records. In a team Backlog workspace, a wrong action can affect collaborators and downstream workflows.

User impactA mistaken delete, update, or comment could affect team-visible project data and cause follow-on confusion or workflow disruption.

RecommendationConfirm target project, issue IDs, and intended changes before writes or deletes; avoid bulk or proxy operations unless the user explicitly requests them.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusNote

SKILL.md

Membrane handles authentication and credentials refresh automatically ... injects the correct authentication headers — including transparent credential refresh if they expire.

The skill relies on delegated account credentials and automatic refresh. This is aligned with a Backlog integration, but it means the agent can act through the connected account.

User impactActions will be performed with the privileges of the connected Backlog/Membrane account.

RecommendationConnect only the intended Backlog workspace/account, use the least-privileged account available, and revoke the Membrane connection when it is no longer needed.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityMediumConfidenceHighStatusNote

SKILL.md

send requests directly to the Backlog API through Membrane's proxy ... injects the correct authentication headers

The skill uses Membrane as a gateway between the agent and Backlog. This is central to the design, but it means request data and authenticated operations pass through an external provider boundary.

User impactBacklog API requests and responses may be processed through Membrane while using the connected account's authorization.

RecommendationUse this only if you trust Membrane for the relevant workspace data, and avoid sending unnecessary sensitive content through proxy requests.