Kustomer
Analysis
This Kustomer skill is purpose-aligned, but it grants broad CRM access and asks the agent to install and run an unpinned external CLI with limited approval or containment guidance.
Findings (8)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.
`clientAction.agentInstructions` (optional) — instructions for the AI agent on how to proceed programmatically.
The skill tells the agent that external connection responses may contain instructions for the AI agent. This is purpose-aligned for setup, but those instructions should not be allowed to override the user’s request or safety boundaries.
Use action names and parameters as needed. ... Create Customer ... Create Conversation ... Create Message ... Update Customer
The skill authorizes broad use of discovered Kustomer actions, including persistent write operations, but does not define approval, scoping, or rollback requirements for high-impact changes.
npm install -g @membranehq/cli@latest ... If no app is found, one is created and a connector is built automatically.
The skill relies on an unpinned global npm package and may create an automatically built connector that is not included in the reviewed artifacts.
npm install -g @membranehq/cli@latest ... npx @membranehq/cli connection get <id> --wait --json
Although this is presented as an instruction-only skill, it instructs the user or agent to install and execute npm-distributed CLI code.
List Customers — Retrieves all customers in your organization ... Update Customer — Updates an existing customer's attributes in Kustomer
The actions can operate on organization-wide Kustomer data and make persistent changes, but the skill does not provide containment rules for mistaken bulk or cross-record operations.
Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.
Membrane handles authentication and credentials refresh automatically ... The user completes authentication in the browser.
The skill requires delegated account authentication and credential refresh through Membrane/Kustomer. This is expected for the stated integration, but it gives the connected account’s privileges to the workflow.
Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.
Each result includes `id`, `name`, `description`, `inputSchema` ... and `outputSchema`.
The agent is expected to use retrieved action metadata to decide which actions and parameters to use. This is normal for the integration, but retrieved descriptions and schemas should be treated as external context, not higher-priority instructions.
This skill uses the Membrane CLI to interact with Kustomer. Membrane handles authentication and credentials refresh automatically.
Kustomer access is mediated through the Membrane service/CLI, creating a third-party gateway for authentication and CRM operations. This is disclosed and purpose-aligned, but sensitive data and permissions flow through that provider.