v1.0.4

Kartra

SuspiciousClawScan verdict for this skill. Analyzed Apr 30, 2026, 5:04 PM.

Analysis

This appears to be a real Kartra integration, but it delegates sensitive account access to Membrane and enables broad account, billing, automation, and customer actions without clear safeguards.

GuidanceOnly install this if you are comfortable granting Membrane-mediated access to your Kartra account. Use a least-privilege account or test workspace where possible, pin and verify the CLI before installing, and require explicit confirmation before any billing, purchase, broadcast, automation, webhook, refund, or permission-changing action.

Findings (10)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agent Goal Hijack

SeverityMediumConfidenceHighStatusConcern

SKILL.md

`clientAction.agentInstructions` (optional) — instructions for the AI agent on how to proceed programmatically.

The skill makes externally returned instructions relevant to the agent's next steps without clearly saying they must be treated as untrusted or limited to the user's request.

User impactA remote connector response could steer the agent toward actions the user did not explicitly request.

RecommendationTreat returned agent instructions as untrusted data and require user confirmation before following them, especially for write, billing, email, or permission-changing actions.

Tool Misuse and Exploitation

SeverityHighConfidenceHighStatusConcern

SKILL.md

Manage Persons, Organizations, Leads, Deals, Pipelines, Activities and more... Billing... Payments... Refunds... Webhooks... User Roles... Automations... Broadcasts

The skill covers broad and high-impact Kartra operations, including financial, messaging, webhook, automation, and access-control areas, without clear approval or containment rules.

User impactA mistaken or over-broad agent action could send broadcasts, alter automations, change user access, affect payments, or modify customer records.

RecommendationUse explicit confirmations and narrow scopes for any write, payment, broadcast, webhook, automation, or role-management action.

Agentic Supply Chain Vulnerabilities

SeverityMediumConfidenceHighStatusConcern

SKILL.md

npm install -g @membranehq/cli@latest ... If no app is found, one is created and a connector is built automatically.

The skill relies on an unpinned global npm CLI install and can trigger automatically built connector components, creating provenance and version-control gaps.

User impactThe behavior of the integration may change over time or depend on generated/remote components that the user has not reviewed.

RecommendationPin the CLI version, document the install mechanism in the install spec, and verify any generated connector before granting sensitive access.

Unexpected Code Execution

SeverityLowConfidenceHighStatusNote

SKILL.md

npm install -g @membranehq/cli@latest ... npx @membranehq/cli connection get <id> --wait --json

The skill requires installing and running npm-hosted CLI code. This is purpose-aligned for the integration, but it changes the local environment and executes third-party package code.

User impactUsing the skill may run external CLI software on the user's machine or environment.

RecommendationInstall the CLI only from the expected npm package, consider pinning a version, and avoid running it in sensitive environments unless needed.

Cascading Failures

SeverityHighConfidenceHighStatusConcern

SKILL.md

Automations... Sequences... Broadcasts... Webhooks... Billing... Payments... Refunds... User Roles... Teams

The covered Kartra areas include account-wide systems where one wrong action can propagate to customers, payment flows, webhooks, team permissions, and marketing automation.

User impactA single bad instruction or misunderstood request could affect many customers, workflows, payments, or team members.

RecommendationUse staged previews, dry runs where possible, and explicit user approval before broad or irreversible account changes.

Human-Agent Trust Exploitation

SeverityLowConfidenceMediumStatusNote

SKILL.md

Membrane handles authentication and credentials refresh automatically — so you can focus on the integration logic rather than auth plumbing.

The wording is not inherently deceptive, but it may make credential delegation and persistent refresh sound routine despite the sensitivity of the access.

User impactUsers may pay less attention to what account permissions they are granting and how long the connection remains active.

RecommendationClearly review requested scopes, connected accounts, and revocation steps rather than treating automatic credential handling as risk-free.

Rogue Agents

SeverityLowConfidenceMediumStatusNote

SKILL.md

Membrane handles authentication and credentials refresh automatically

Automatic credential refresh indicates persistent access may remain available after setup. The artifacts do not show hidden autonomous behavior, but persistence should be noticed.

User impactThe integration may retain the ability to access the connected account until the user revokes or disconnects it.

RecommendationDisconnect or revoke the Membrane/Kartra connection when it is no longer needed.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceHighStatusConcern

metadata

Primary credential: none ... Capability signals: requires-oauth-token; requires-sensitive-credentials

The declared credential contract conflicts with the capability signals, which indicate OAuth and sensitive credentials are required.

User impactUsers may grant Kartra or Membrane account access without the registry-level credential requirements making that boundary clear.

RecommendationBefore use, verify what OAuth scopes and account permissions are requested, and prefer a least-privilege Kartra account or connection.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityMediumConfidenceHighStatusConcern

SKILL.md

`clientAction.agentInstructions` (optional) — instructions for the AI agent on how to proceed programmatically.

Externally supplied instructions can become part of the agent's working context and may be over-trusted if not clearly separated from user instructions.

User impactConnector-provided text could influence the agent to expose data or take actions outside the user's intended task.

RecommendationKeep remote instructions separate from trusted user instructions and require confirmation before using them to perform sensitive actions.

Insecure Inter-Agent Communication

SeverityMediumConfidenceHighStatusNote

SKILL.md

This skill uses the Membrane CLI to interact with Kartra. Membrane handles authentication and credentials refresh automatically

The skill routes authentication and Kartra interaction through Membrane. That is disclosed and purpose-aligned, but it means credentials and account actions depend on a third-party gateway.

User impactKartra access and action execution may be mediated by Membrane rather than occurring directly between the user and Kartra.

RecommendationReview Membrane's access model, connected-account permissions, and revocation options before connecting a production Kartra account.