v1.0.4

Contentful

SuspiciousClawScan verdict for this skill. Analyzed Apr 30, 2026, 4:35 PM.

Analysis

This Contentful skill is broadly purpose-aligned, but it delegates sensitive account access through Membrane, installs an unpinned global CLI, and allows destructive or public Contentful changes without clear approval boundaries.

GuidanceBefore installing, review Membrane as a third-party credential and action gateway, pin the CLI version instead of using `@latest`, connect only a least-privilege Contentful account, and require explicit approval before any delete, publish, unpublish, create, or update operation.

Findings (8)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agent Goal Hijack

SeverityMediumConfidenceHighStatusConcern

SKILL.md

`clientAction.agentInstructions` (optional) — instructions for the AI agent on how to proceed programmatically.

The skill directs the agent to consume instructions returned by an external connection workflow, without telling the agent to treat those instructions as untrusted or subordinate to the user's request.

User impactA remote connector response could steer the agent's next steps in ways the user did not explicitly request.

RecommendationTreat returned agent instructions as informational only, and require explicit user approval before following any instruction that changes data, credentials, or scope.

Tool Misuse and Exploitation

SeverityHighConfidenceHighStatusConcern

SKILL.md

`Delete Entry`, `Delete Asset`, `Publish Entry`, `Publish Asset`, `Unpublish Entry`, `Unpublish Asset`

The listed Contentful actions include destructive and public-facing mutations, but the instructions do not require confirmation, environment checks, dry runs, or other guardrails before using them.

User impactThe agent could delete, publish, or unpublish Contentful content if asked ambiguously or if it selects the wrong action.

RecommendationUse least-privileged Contentful access and require explicit confirmation for create, update, delete, publish, and unpublish actions, especially in production spaces.

Agentic Supply Chain Vulnerabilities

SeverityMediumConfidenceHighStatusConcern

SKILL.md

npm install -g @membranehq/cli@latest

The skill asks for a global npm install using the moving `@latest` tag, so the installed code is not pinned to a reviewed version.

User impactA future or compromised CLI release could change what runs locally when following the skill instructions.

RecommendationPin the Membrane CLI to a specific reviewed version, avoid global installs where possible, and verify package provenance before use.

Unexpected Code Execution

SeverityLowConfidenceHighStatusNote

SKILL.md

npm install -g @membranehq/cli@latest ... npx @membranehq/cli connection get <id> --wait --json

The skill's operation depends on executing npm-distributed CLI code locally. That is coherent with the stated integration purpose, but users should recognize it as local code execution.

User impactUsing the skill may run third-party CLI code on the user's machine.

RecommendationRun the CLI in a controlled environment and prefer a pinned package version.

Cascading Failures

SeverityHighConfidenceHighStatusConcern

SKILL.md

`Publish Entry` ... make it available via the Content Delivery API; `Unpublish Entry` ... remove it from the Content Delivery API; `Delete Entry` ... Delete an entry

A single mistaken action can affect live public content availability or permanently remove CMS content, and the instructions do not describe containment or rollback steps.

User impactAn incorrect action could remove, expose, or change content across a live site or application.

RecommendationUse non-production environments for testing, confirm exact space/environment/item IDs before changes, and keep backups or rollback plans for destructive operations.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceHighStatusConcern

SKILL.md

Membrane handles authentication and credentials refresh automatically ... `List Spaces` ... Get all spaces the authenticated user has access to

The skill relies on delegated account access and refreshable credentials, and the available scope can include every Contentful space available to the authenticated user.

User impactInstalling and authenticating this skill may grant the agent broad ongoing access to Contentful resources through Membrane.

RecommendationAuthenticate with a dedicated least-privilege Contentful account or token, limit accessible spaces/environments, and revoke the Membrane connection when no longer needed.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityLowConfidenceMediumStatusNote

SKILL.md

Each result includes `id`, `name`, `description`, `inputSchema` ... and `outputSchema`

The agent is expected to rely on action descriptions and schemas returned by the external Membrane connection. This retrieved context is purpose-aligned, but it can influence later tool inputs.

User impactIncorrect or overly broad returned action metadata could lead the agent to choose the wrong Contentful operation.

RecommendationHave the agent summarize selected actions and parameters before use, and verify them against the user's intended space, environment, and content item.

Insecure Inter-Agent Communication

SeverityMediumConfidenceHighStatusNote

SKILL.md

This skill uses the Membrane CLI to interact with Contentful. Membrane handles authentication and credentials refresh automatically

The skill routes Contentful authentication and operations through the Membrane service, creating a third-party gateway boundary for sensitive credentials and content operations.

User impactContentful account authorization and operational data may be mediated by Membrane rather than handled only between the user and Contentful.

RecommendationReview Membrane's access model and privacy terms, and only connect Contentful accounts with the minimum permissions needed.