Corsizio
Analysis
The skill matches its Corsizio purpose, but it asks the agent to install and use a mutable third-party CLI with broad authenticated access to manage live Corsizio data.
Findings (8)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.
`clientAction.agentInstructions` (optional) — instructions for the AI agent on how to proceed programmatically.
The skill allows retrieved connection-state content to provide instructions to the agent. This is purpose-aligned for setup, but the agent should treat it as untrusted operational data, not as authority over the user's request.
membrane action run <actionId> --connectionId=CONNECTION_ID --input '{"key": "value"}' --json ... `-X, --method` | HTTP method (GET, POST, PUT, PATCH, DELETE).The skill permits arbitrary discovered Corsizio actions and direct authenticated proxy requests, including mutating HTTP methods, without stated confirmation, dry-run, or scope restrictions.
npm install -g @membranehq/cli@latest
The skill instructs a global npm installation using the mutable `@latest` tag, while the package version and install behavior are not pinned in an install spec.
Install the Membrane CLI so you can run `membrane` from the terminal: `npm install -g @membranehq/cli@latest`
Installing and running an npm CLI executes local code. This is disclosed and aligned with the integration purpose, but it is still local code execution outside the instruction-only artifact.
Corsizio is a platform for selling and managing classes, workshops, and events online ... handle registration, payments, and communication with attendees.
The skill operates on live operational data involving registrations, payments, and attendee communications; combined with mutating proxy/action capabilities, a mistaken action can propagate to real users and business records.
Primary credential: none
The registry-facing requirements can make the skill look credential-free, while SKILL.md later requires Membrane login and authenticated Corsizio connection setup. The skill does disclose authentication in its instructions, so this is a note rather than a deceptive-content concern.
Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.
Membrane handles authentication and credentials refresh automatically ... injects the correct authentication headers — including transparent credential refresh if they expire.
The skill delegates authenticated Corsizio access and credential refresh to Membrane, but the artifacts do not clearly define least-privilege scope, retention, revocation, or approval boundaries for the resulting account authority.
Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.
send requests directly to the Corsizio API through Membrane's proxy ... injects the correct authentication headers
Corsizio API traffic and authenticated requests are routed through Membrane as a gateway. This is disclosed and purpose-aligned, but users should understand the intermediary and data boundary.