ClawHub
Back to skill
v1.0.4

Incidentio

ReviewClawScan verdict for this skill. Analyzed Apr 30, 2026, 5:01 PM.

Analysis

The skill looks like a plausible Incident.io integration, but it asks for broad authenticated Incident.io/Membrane control and unpinned global CLI execution without clear approval or scope limits.

GuidanceInstall only if you trust Membrane and are comfortable granting it Incident.io access. Pin and verify the Membrane CLI instead of installing @latest, use least-privilege credentials, and instruct the agent to ask before any write, alert-triggering, integration, workflow, or status-page action.

Findings (9)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agent Goal Hijack
SeverityLowConfidenceHighStatusNote
SKILL.md
`clientAction.agentInstructions` (optional) — instructions for the AI agent on how to proceed programmatically.

The skill allows externally returned connection data to provide instructions to the agent. This is purpose-aligned for setup, but should not be treated as authority to override the user's goal or safety checks.

User impactA connector or setup response could influence how the agent proceeds during authentication or configuration.
RecommendationTreat returned agentInstructions as guidance only; follow them only when they are consistent with the user's request and do not bypass confirmations.
Tool Misuse and Exploitation
SeverityHighConfidenceHighStatusConcern
SKILL.md
`Use action names and parameters as needed.` ... `Send Alert Event | send-alert-event | Send an alert event to an HTTP alert source to potentially trigger an incident`

The skill gives the agent broad discretion to select and parameterize actions, including an action that can trigger an incident, without requiring explicit user approval for high-impact operations.

User impactThe agent could create, update, or trigger Incident.io objects in a way that affects incident response workflows and teams.
RecommendationRequire explicit user confirmation before any write, alert-triggering, integration, status page, or workflow-changing action; show the exact action, connection, and parameters first.
Agentic Supply Chain Vulnerabilities
SeverityMediumConfidenceHighStatusConcern
SKILL.md
`npm install -g @membranehq/cli@latest` ... `If no app is found, one is created and a connector is built automatically.`

The skill depends on an unpinned global npm package and may rely on automatically built connector components, creating provenance and version-control risk.

User impactInstalling the skill as written could execute whatever version of the Membrane CLI is latest at install time, and connector behavior may change outside this skill's reviewed artifact.
RecommendationPin the CLI to a reviewed version, verify the npm package source, and avoid using automatically built connectors for sensitive accounts unless reviewed.
Unexpected Code Execution
SeverityLowConfidenceHighStatusNote
SKILL.md
`npx @membranehq/cli connection get <id> --wait --json`

The instructions run CLI code via npx. This is aligned with the integration's purpose, but it is still local code execution from the npm ecosystem.

User impactThe local machine may execute package code that is not contained within the skill artifact itself.
RecommendationPrefer a pinned, previously installed CLI version and run it from an environment appropriate for handling Incident.io credentials.
Cascading Failures
SeverityMediumConfidenceHighStatusConcern
SKILL.md
Send an alert event to an HTTP alert source to potentially trigger an incident

An incorrectly invoked action can initiate incident workflows, which may notify teams or interact with integrations. The skill does not define containment or confirmation for these cascading effects.

User impactA mistaken or unauthorized action could trigger incident response processes across the organization.
RecommendationUse a test or low-impact connection first, and require explicit confirmation before actions that can trigger incidents, notifications, integrations, or public status changes.
Human-Agent Trust Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
Official docs: https://developer.pagerduty.com/docs/incident-management

The skill is for Incident.io but labels a PagerDuty URL as the official docs, which could mislead users or the agent about the authoritative source.

User impactUsers may follow the wrong documentation or assume the integration is backed by different official guidance.
RecommendationVerify the correct Incident.io documentation and treat the provided docs link as unreliable until corrected.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusConcern
SKILL.md
`Membrane handles authentication and credentials refresh automatically` ... `connect` — user needs to authenticate (OAuth, API key, etc.).

The skill relies on delegated OAuth/API-key access and automatic credential refresh, but does not describe least-privilege scopes, revocation, or limits on account authority.

User impactA Membrane connection may retain access to Incident.io beyond a single command and may be able to perform sensitive account actions.
RecommendationUse the least-privileged Incident.io account or token available, review OAuth scopes, and revoke the Membrane connection when it is no longer needed.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning
SeverityLowConfidenceMediumStatusNote
SKILL.md
Each result includes `id`, `name`, `description`, `inputSchema` ... and `outputSchema`.

The agent is expected to use dynamically returned action metadata to decide how to act. If that metadata is incorrect or malicious, it could influence action selection or parameter use.

User impactBad or misleading action descriptions could cause the agent to choose the wrong Incident.io operation.
RecommendationTreat returned action descriptions and schemas as data, not instructions; validate them against the user's explicit request before acting.
Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
SKILL.md
This skill uses the Membrane CLI to interact with Incident.Io. Membrane handles authentication and credentials refresh automatically

The skill uses Membrane as an intermediary provider for Incident.io access and credential handling. This is disclosed and purpose-aligned, but users should understand the data boundary.

User impactIncident.io data and authentication flows may pass through Membrane rather than only between the user and Incident.io.
RecommendationUse this only if you trust Membrane for the relevant Incident.io data and credentials; review account permissions and connection settings.