v1.0.4

Hookdeck

ReviewClawScan verdict for this skill. Analyzed Apr 30, 2026, 4:58 PM.

Analysis

This Hookdeck skill is purpose-aligned, but it asks the agent to install an unpinned third-party CLI, use remote agent instructions, and grant Membrane access to Hookdeck-related credentials.

GuidanceBefore installing, confirm that you trust Membrane as the intermediary for Hookdeck access, pin or review the Membrane CLI version instead of using `@latest`, and require explicit confirmation before the agent creates or changes any Hookdeck, workflow, destination, or connection configuration.

Findings (9)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agent Goal Hijack

SeverityMediumConfidenceHighStatusConcern

SKILL.md

`clientAction.agentInstructions` (optional) — instructions for the AI agent on how to proceed programmatically.

The skill tells the agent to consume remote instructions from a connection workflow as instructions for its own behavior, without saying they must be treated as untrusted or subordinate to the user request.

User impactA remote connection response could influence what the agent does next, potentially steering it beyond the user's intended task.

RecommendationOnly follow remote agent instructions after checking they match the user's request, and ask the user before taking actions that change accounts, data, or configuration.

Tool Misuse and Exploitation

SeverityMediumConfidenceMediumStatusConcern

SKILL.md

`membrane connection ensure "https://hookdeck.com/" --json` ... `If no app is found, one is created and a connector is built automatically.`

The CLI instruction can create account-side connections/connectors automatically, and the artifact does not clearly define approval, rollback, or containment boundaries for these mutations.

User impactThe agent may create or alter integration configuration in a Membrane/Hookdeck-related account when the user expected only inspection or a narrowly scoped operation.

RecommendationRequire explicit user confirmation before creating connections, connectors, workflows, destinations, or other account configuration.

Agentic Supply Chain Vulnerabilities

SeverityMediumConfidenceHighStatusConcern

SKILL.md

npm install -g @membranehq/cli@latest

The skill instructs a global npm installation using the moving `@latest` tag, so the installed code is not pinned to a reviewed version.

User impactA future or compromised npm release could change what code is installed and executed on the user's machine.

RecommendationPin the CLI to a specific reviewed version and prefer a declared install specification over ad hoc global installation instructions.

Unexpected Code Execution

SeverityLowConfidenceHighStatusNote

SKILL.md

npx @membranehq/cli connection get <id> --wait --json

The skill includes shell commands that execute a package through npm/npx. This is expected for a CLI-based integration, but users should recognize it runs local code.

User impactThe skill may cause local package code to run on the user's system as part of normal operation.

RecommendationRun the CLI only from trusted environments and pin or preinstall the expected CLI version where possible.

Cascading Failures

SeverityMediumConfidenceMediumStatusNote

SKILL.md

Hookdeck is a webhook management tool ... transformations, and retries to ensure webhooks are delivered and handled correctly.

Hookdeck configuration can affect webhook delivery and integrations. This is central to the skill's purpose, but mistakes in webhook routing, transformations, or retries can affect downstream systems.

User impactAn incorrect change could disrupt webhook delivery or affect connected services.

RecommendationUse read-only/list actions when possible, and require explicit confirmation before modifying webhook routing, transformations, retries, destinations, or workflows.

Human-Agent Trust Exploitation

SeverityInfoConfidenceHighStatusNote

SKILL.md

This skill uses the Membrane CLI to interact with Hookdeck.

The skill is branded as a Hookdeck integration but clearly discloses that Membrane is the operational intermediary. This is not deceptive, but it is an important trust distinction.

User impactUsers may assume they are authorizing only Hookdeck unless they notice the Membrane account and CLI requirement.

RecommendationRead the authentication prompts carefully and make sure granting Membrane-mediated access is acceptable.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusNote

SKILL.md

Membrane handles authentication and credentials refresh automatically

The skill depends on delegated authentication and credential refresh. This is aligned with managing Hookdeck data, but it grants sensitive account access through Membrane.

User impactUsing the skill may give Membrane and the agent session access to Hookdeck-related data and actions.

RecommendationUse the least-privileged account or workspace available, and review what access is granted during the Membrane/Hookdeck authorization flow.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityLowConfidenceMediumStatusNote

SKILL.md

Each result includes `id`, `name`, `description`, `inputSchema` ... and `outputSchema`

The agent is expected to use retrieved action metadata and descriptions as context for choosing actions. This is purpose-aligned, but retrieved descriptions can be over-trusted if not validated against the user's goal.

User impactMisleading or unexpected action metadata could influence the agent's choice of operation.

RecommendationTreat retrieved action descriptions and schemas as data, not higher-priority instructions, and confirm sensitive actions with the user.

Insecure Inter-Agent Communication

SeverityMediumConfidenceMediumStatusNote

SKILL.md

This skill uses the Membrane CLI to interact with Hookdeck. Membrane handles authentication and credentials refresh automatically

Hookdeck access is mediated through an external provider/CLI that handles authentication. This is disclosed and purpose-aligned, but it creates a third-party data and credential boundary users should understand.

User impactHookdeck-related data and credentials may pass through Membrane-controlled tooling rather than a direct Hookdeck-only integration.

RecommendationConfirm that Membrane is an acceptable intermediary for the workspace and that its granted permissions match the intended Hookdeck tasks.