Lever
Analysis
This appears to be a legitimate Lever integration, but it asks the agent to install and run an unpinned global CLI and grants broad OAuth-backed authority to change recruiting records without clear approval limits.
Findings (8)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.
clientAction.agentInstructions (optional) — instructions for the AI agent on how to proceed programmatically.
The skill allows instructions returned from an external connection flow to guide the agent's next programmatic steps. This is purpose-aligned for setup, but those instructions should not override the user's actual request or safety checks.
Create User | create-user ... Update Opportunity Stage | update-opportunity-stage ... Archive Opportunity | archive-opportunity ... Delete Interview | delete-interview
The exposed actions can mutate important ATS data, including users, candidate stages, archived opportunities, and scheduled interviews. The artifacts do not define approval, dry-run, rollback, or per-action limits for these high-impact operations.
npm install -g @membranehq/cli@latest
The skill instructs installation of an unpinned npm package globally at runtime. Using @latest creates a moving dependency target and global installation increases host impact if the package or install chain is compromised.
Install the Membrane CLI so you can run `membrane` from the terminal: ```bash npm install -g @membranehq/cli@latest ```
Although this is presented as an instruction-only skill with no install spec, the runtime instructions require installing and executing a CLI package. This is an install-to-run flow that is not captured by the declared install mechanism.
Update Opportunity Stage | update-opportunity-stage | Move an opportunity to a different pipeline stage Archive Opportunity | archive-opportunity | Archive an opportunity with a reason Delete Interview | delete-interview | Delete a scheduled interview
A mistaken action could propagate through hiring workflows, affecting candidate status, recruiter coordination, or scheduled interviews. The artifacts do not describe containment, review, or rollback safeguards.
Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.
Membrane handles authentication and credentials refresh automatically
The integration relies on delegated authentication and automatic credential refresh for Lever through Membrane. That is coherent with the purpose, but the artifacts do not clearly state OAuth scopes, privilege limits, token lifetime, or revocation guidance.
Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.
The output contains the new connection id.
The skill uses a reusable connection identifier for the external Lever connection. This is expected for an integration, but the agent should avoid mixing connection IDs between users, tenants, or tasks.
This skill uses the Membrane CLI to interact with Lever. Membrane handles authentication and credentials refresh automatically
The skill uses Membrane as an external broker between the agent and Lever. That is disclosed and purpose-aligned, but sensitive recruiting data and authentication flows may pass through this provider boundary.