v1.0.4

Google Workspace

SuspiciousClawScan verdict for this skill. Analyzed Apr 30, 2026, 3:02 PM.

Analysis

This skill is not clearly malicious, but it enables broad Google Workspace administration through a third-party CLI with unpinned installation and limited safeguards around destructive actions.

GuidanceBefore installing, verify that you trust Membrane and the npm CLI package, pin or review the CLI version if possible, inspect the Google OAuth scopes, use the least-privileged Workspace account, and require explicit confirmation before any delete, update, or tenant-wide action.

Findings (9)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agent Goal Hijack

SeverityLowConfidenceMediumStatusNote

SKILL.md

`clientAction.agentInstructions` (optional) — instructions for the AI agent on how to proceed programmatically.

The skill allows instructions returned by the connection flow to guide the agent. That may be purpose-aligned, but returned instructions should not override the user's goal or safety checks.

User impactA connector or service response could influence the agent's next steps in ways the user did not explicitly request.

RecommendationTreat returned agent instructions as advisory, and confirm with the user before following them for sensitive or destructive actions.

Tool Misuse and Exploitation

SeverityHighConfidenceHighStatusConcern

SKILL.md

`| Delete Group | delete-group | Deletes a group from Google Workspace |`

The skill exposes destructive Google Workspace administration actions, but the instructions do not define required approvals, dry-runs, scoping, or rollback handling.

User impactA mistaken or overbroad agent action could delete or alter important Google Workspace resources.

RecommendationRequire explicit user confirmation for each destructive action, show the exact target, and prefer dry-run or read-only steps before making changes.

Agentic Supply Chain Vulnerabilities

SeverityMediumConfidenceHighStatusConcern

SKILL.md

`npm install -g @membranehq/cli@latest`

The skill instructs installing the latest global npm package at runtime. Because it is unpinned, the executed CLI can change over time and is not locked by the provided artifacts.

User impactA future or compromised package version could change what code runs locally when the user follows the skill instructions.

RecommendationPin the CLI to a reviewed version, publish an install spec, and verify the package source and integrity before installation.

Unexpected Code Execution

SeverityLowConfidenceHighStatusNote

SKILL.md

`npx @membranehq/cli connection get <id> --wait --json`

The skill relies on local CLI execution through npm/npx. This is purpose-aligned for a CLI-based integration, but users should notice that an instruction-only skill still causes executable commands to run.

User impactUsing the skill may run locally installed or fetched CLI code on the user's machine.

RecommendationRun the CLI only in an environment where npm-installed command-line tools are allowed, and prefer a pinned reviewed version.

Cascading Failures

SeverityHighConfidenceHighStatusConcern

SKILL.md

`Delete Organizational Unit | delete-org-unit | Deletes an organizational unit`

Organizational-unit, group, and user administration can affect many users and resources across a Workspace tenant. The artifacts do not show containment, staging, or recovery controls.

User impactOne mistaken instruction could cause broad organization-wide disruption.

RecommendationUse least-privileged accounts, require confirmation for tenant-wide changes, stage changes where possible, and document rollback steps.

Human-Agent Trust Exploitation

SeverityLowConfidenceMediumStatusNote

SKILL.md

Membrane handles authentication and credentials refresh automatically — so you can focus on the integration logic rather than auth plumbing.

This wording may make sensitive credential handling sound routine. It is not inherently deceptive, but users should still understand the security implications of delegated, refreshable access.

User impactA user may underestimate how much access they are granting through the authentication flow.

RecommendationClearly disclose requested scopes, credential storage, refresh behavior, and revocation instructions before users authenticate.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceHighStatusConcern

SKILL.md

Membrane handles authentication and credentials refresh automatically

The skill relies on delegated authentication and refreshable credentials for Google Workspace through Membrane, but the artifacts do not define OAuth scopes, privilege limits, token lifetime, or revocation steps.

User impactInstalling and using the skill may grant ongoing access to sensitive Workspace data and administrative functions.

RecommendationReview the requested OAuth scopes and Membrane tenant before use, grant the least-privileged account possible, and confirm how to revoke the connection.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityLowConfidenceMediumStatusNote

SKILL.md

Each result includes `id`, `name`, `description`, `inputSchema` (what parameters the action accepts), and `outputSchema` (what it returns).

Action metadata from the external connection becomes context the agent may rely on when selecting and parameterizing actions. That is expected, but it should not be treated as more authoritative than the user's request.

User impactIncorrect or misleading returned action metadata could lead the agent to choose the wrong operation or parameters.

RecommendationHave the agent summarize the selected action and parameters for user confirmation before sensitive changes.

Insecure Inter-Agent Communication

SeverityMediumConfidenceHighStatusNote

SKILL.md

This skill uses the Membrane CLI to interact with Google Workspace. Membrane handles authentication and credentials refresh automatically

The skill uses Membrane as an intermediary between the agent and Google Workspace for authentication and actions. This is disclosed and purpose-aligned, but it means sensitive credentials and Workspace operations cross a third-party boundary.

User impactWorkspace data and authorization flows may be mediated by Membrane rather than only by the local agent and Google.

RecommendationConfirm the Membrane tenant, trust model, data handling terms, and OAuth scopes before connecting a production Workspace account.