Handwrytten
Analysis
This looks like a real Handwrytten/Membrane integration, but it gives broad authenticated API control that can send paid letters or change account settings without clear approval limits.
Findings (9)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.
`clientAction.agentInstructions` (optional) — instructions for the AI agent on how to proceed programmatically.
The agent may receive dynamic instructions from the connection workflow. This is purpose-aligned setup guidance, but it should not override the user's actual request or safety checks.
`membrane request CONNECTION_ID /path/to/endpoint` ... `HTTP method (GET, POST, PUT, PATCH, DELETE)`
The skill authorizes direct authenticated API proxy requests, including destructive methods, without defining allowlists, read-only defaults, cost limits, or approval requirements.
`npm install -g @membranehq/cli@latest`
The skill depends on a globally installed latest-version npm CLI rather than a pinned install artifact, and that install path is not represented in the registry install spec.
`npx @membranehq/cli connection get <id> --wait --json`
Although the skill has no bundled code files, its normal workflow runs external Node CLI code. This is coherent with the stated integration purpose, but users should notice the local execution.
`Send Letter | Send a handwritten letter to one or more recipients (up to 10)`
A mistaken or overbroad action can produce real-world external effects, including sending physical mail to multiple recipients, with no documented dry-run, rollback, or confirmation requirement.
`Manage Persons, Organizations, Deals, Leads, Activities, Notes and more`
The description lists CRM-style objects, while the same skill's Handwrytten overview focuses on cards, contacts, campaigns, orders, billing, payment methods, and users. This mismatch may confuse users about the actual scope.
Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.
`membrane login --tenant --clientName=<agentType>` ... `Membrane handles authentication and credentials refresh automatically`
The skill requires delegated account authentication and ongoing credential refresh, while the registry declares no primary credential. That under-discloses sensitive account authority.
Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.
`clientAction.description` — human-readable explanation ... `clientAction.agentInstructions` ... instructions for the AI agent
The agent is expected to consume returned setup context and instructions. That context is useful, but it could be over-trusted if not kept subordinate to user intent.
`send requests directly to the Handwrytten API through Membrane's proxy` ... `injects the correct authentication headers`
The integration routes API traffic and authentication handling through Membrane. This is disclosed and purpose-aligned, but it is a third-party gateway handling sensitive request data.