v1.0.4

Interzoid

ReviewClawScan verdict for this skill. Analyzed Apr 30, 2026, 5:03 PM.

Analysis

The skill matches an Interzoid integration, but it under-discloses credentialed Membrane access and asks users to install and run an unpinned global CLI that can perform create, update, and delete actions without clear approval boundaries.

GuidanceInstall only if you trust Membrane and Interzoid with the relevant account and data. Prefer a pinned Membrane CLI version, avoid global or npx execution where possible, use least-privileged credentials, and require explicit confirmation before any create, update, delete, or bulk workflow action.

Findings (9)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agent Goal Hijack

SeverityLowConfidenceHighStatusNote

SKILL.md

`clientAction.agentInstructions` (optional) — instructions for the AI agent on how to proceed programmatically.

The workflow can introduce remote service-provided instructions into the agent's decision process; this is purpose-aligned for setup, but those instructions should not override the user's goal or local safety policy.

User impactA remote connection response could influence what the agent does next if treated as authoritative.

RecommendationTreat remote agentInstructions as untrusted operational hints and confirm any action that changes data, credentials, or connection settings.

Tool Misuse and Exploitation

SeverityHighConfidenceHighStatusConcern

SKILL.md

Use action names and parameters as needed. ... Create Global Data ... Update Global Data ... Delete Global Data

The skill exposes broad mutating and destructive data operations without artifact-level instructions requiring confirmation, scoping, dry runs, or rollback before use.

User impactThe agent could create, alter, or delete Interzoid-related records if the wrong action or parameters are selected.

RecommendationRequire explicit user approval before any create, update, delete, or bulk workflow action, and prefer read-only actions unless the user specifically requests mutation.

Agentic Supply Chain Vulnerabilities

SeverityMediumConfidenceHighStatusConcern

SKILL.md

npm install -g @membranehq/cli@latest

The skill depends on a globally installed npm package using the moving @latest tag, and that dependency is not captured in an install spec or pinned to a verified version.

User impactThe code run by the skill can change over time based on the latest npm release, making behavior and provenance harder to verify.

RecommendationInstall a reviewed, pinned version of the Membrane CLI from a trusted source instead of using @latest, and avoid global installs where possible.

Unexpected Code Execution

SeverityMediumConfidenceHighStatusConcern

SKILL.md

npx @membranehq/cli connection get <id> --wait --json

Although the registry describes an instruction-only skill with no install spec, the runtime instructions execute an npm-distributed CLI, including via npx.

User impactUsing the skill can run downloaded third-party code on the user's machine even though no code files are included in the skill package.

RecommendationApprove CLI execution explicitly, use a pinned local installation, and run commands from a controlled environment.

Cascading Failures

SeverityMediumConfidenceMediumStatusNote

SKILL.md

Manage data, records, and automate workflows.

The stated purpose includes automated record workflows; bad input or an incorrect action could propagate through multiple records unless the user imposes scope and review.

User impactA mistaken automated workflow could affect more Interzoid data than intended.

RecommendationUse small batches, preview actions, and require confirmation before workflow automation or bulk record changes.

Human-Agent Trust Exploitation

SeverityLowConfidenceHighStatusNote

SKILL.md

Membrane handles authentication and credentials refresh automatically — so you can focus on the integration logic rather than auth plumbing.

The wording discloses credential refresh but may encourage users to overlook the security significance of delegated, refreshed credentials.

User impactUsers may treat authentication as routine setup and miss that they are granting ongoing account access.

RecommendationPause at authentication steps, verify requested access, and record how to revoke the connection.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceHighStatusConcern

SKILL.md

`membrane login --tenant --clientName=<agentType>` ... Membrane handles authentication and credentials refresh automatically

The skill requires delegated account authentication and ongoing credential refresh, but the registry credential contract declares no primary credential and the instructions do not define the scope of delegated authority.

User impactInstalling or using the skill may grant persistent account access through Membrane beyond what a user expects from a skill declared with no primary credential.

RecommendationReview the Membrane and Interzoid permissions before login, use the least-privileged account or key available, and know how to revoke the connection afterward.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityLowConfidenceMediumStatusNote

SKILL.md

`clientAction.agentInstructions` (optional) — instructions for the AI agent on how to proceed programmatically.

Remote instructions may enter the agent's working context during connection setup; this is useful for workflow guidance but can poison context if reused or over-trusted.

User impactService-provided text could steer the agent's later choices if it is not kept subordinate to the user's request.

RecommendationKeep external instructions isolated to the immediate setup step and do not treat them as durable policy or user intent.

Insecure Inter-Agent Communication

SeverityMediumConfidenceHighStatusNote

SKILL.md

If no app is found, one is created and a connector is built automatically.

The skill routes setup through Membrane as a provider/gateway and can auto-build a connector; this is disclosed and purpose-aligned, but the artifacts do not detail the connector's identity, permissions, or data boundary.

User impactCredentials and Interzoid-related data may pass through a Membrane-managed connector whose scope should be understood before use.

RecommendationConfirm which connector is created, what account it uses, what data it can access, and how to revoke or disable it.