v1.0.4

Mindbreeze

ReviewClawScan verdict for this skill. Analyzed Apr 30, 2026, 5:15 PM.

Analysis

This instruction-only skill has no code to install, but it declares broad Mindbreeze account powers that are not clearly limited or consistently disclosed.

GuidanceInstall only if you trust the publisher and can use a least-privilege Membrane/Mindbreeze account. Before allowing actions, ask for confirmation on any write, delete, purchase, token, certificate, user/role, service, scheduled task, workflow, script, binary, vector-store, prompt, or training-data change.

Findings (8)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityHighConfidenceHighStatusConcern

SKILL.md

Manage data, records, and automate workflows ... User ... Role ... Certificate ... License ... Backup ... Update ... Configuration ... Running Task ... Scheduled Task ... Service ... Access Token

The skill scope includes broad automation plus high-impact administrative objects, but the instructions do not define approval, read/write limits, rollback, or safe-operation boundaries.

User impactThe agent could be guided to make significant changes to Mindbreeze data or administration without clear guardrails.

RecommendationUse only with explicit user approval for writes, deletes, purchases, admin changes, service/task changes, and token or certificate operations.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

metadata

Source: unknown

The skill has no code or install dependencies, but its source provenance is not established in the registry metadata.

User impactUsers have less assurance that the published skill is actually from the claimed project or maintainer.

RecommendationVerify the publisher, homepage, and repository before connecting a Membrane or Mindbreeze account.

Unexpected Code Execution

SeverityLowConfidenceMediumStatusNote

SKILL.md

Script ... Binary ... Function ... Macro

The listed Mindbreeze resource types include code-like or executable artifacts; although no local code is shipped, updates to these resources may affect execution inside the connected service.

User impactChanging script, binary, function, or macro resources could have effects beyond ordinary data management.

RecommendationTreat creation or modification of code-like resources as privileged actions requiring explicit review and approval.

Cascading Failures

SeverityHighConfidenceHighStatusConcern

SKILL.md

Datasource ... Index ... Backup ... Update ... Configuration ... Running Task ... Scheduled Task ... Service ... Data Source Connection ... Crawler

These resources can affect indexing, data ingestion, service operation, scheduled execution, and system configuration, but the instructions do not define staging, rollback, or blast-radius limits.

User impactA mistaken or overbroad action could propagate across enterprise search, data sources, scheduled jobs, or service configuration.

RecommendationRequire dry-run/review steps for configuration, datasource, index, task, service, update, backup, and crawler changes; prefer staged or reversible operations.

Human-Agent Trust Exploitation

SeverityMediumConfidenceHighStatusConcern

metadata/capability signals

Primary credential: none ... Capability signals: can-make-purchases; requires-oauth-token; requires-sensitive-credentials

The public requirement metadata understates credential needs while capability signals indicate sensitive credentials and purchase authority, which can mislead users about what trust they are granting.

User impactUsers may install or invoke the skill without understanding that it may involve sensitive account access or purchase-capable actions.

RecommendationUpdate the listing to clearly disclose credential requirements, purchase-related permissions, account scopes, and which actions require explicit approval.

Rogue Agents

SeverityMediumConfidenceHighStatusConcern

SKILL.md

automate workflows ... Workflow ... Running Task ... Scheduled Task ... Service ... Agent

The skill scope includes persistent automation and service/task/agent resources that could continue operating after the immediate user request if not explicitly controlled.

User impactThe agent could create or modify persistent automations, tasks, services, or agents that keep acting later.

RecommendationRequire explicit user confirmation for creating, enabling, disabling, or modifying persistent tasks, services, workflows, or agents, and provide a way to list and remove them.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceHighStatusConcern

metadata/capability signals

Primary credential: none ... Capability signals: requires-oauth-token; requires-sensitive-credentials

The registry credential contract says no primary credential is required, while the capability signals indicate OAuth and sensitive credential use, creating an unclear permission boundary.

User impactUsers may not realize the skill needs sensitive account access or may grant broader credentials than intended.

RecommendationRequire the publisher to declare the credential type, scopes, storage expectations, and minimum privileges; use a least-privilege account or token.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityMediumConfidenceHighStatusConcern

SKILL.md

Context ... Prompt ... Embedding Model ... Vector Store ... Chat Log ... Chat Session ... Training Data ... Evaluation Data

The skill scope includes persistent AI/search context and training-related data that could be read, altered, or poisoned if writes are not carefully bounded.

User impactSensitive search context, chat history, prompts, or vector data could be exposed or changed in ways that affect future answers and workflows.

RecommendationLimit access to only needed datasets and require confirmation before writing to prompts, vector stores, chat logs, training data, or other persistent context.