Papyrs
Analysis
Papyrs looks like a real integration, but it grants broad authenticated access through Membrane and allows API actions that could modify or delete organization data.
Findings (8)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.
`clientAction.agentInstructions` (optional) — instructions for the AI agent on how to proceed programmatically.
The skill allows instructions returned by an external connection workflow to influence how the agent proceeds. This is purpose-aligned for setup, but those instructions should not override the user's request or higher-priority instructions.
`membrane request CONNECTION_ID /path/to/endpoint` ... `HTTP method (GET, POST, PUT, PATCH, DELETE)` ... `injects the correct authentication headers`
The skill exposes a broad authenticated API proxy with mutating methods, but does not specify approval gates, read/write limits, rollback steps, or allowed endpoint scopes.
`npm install -g @membranehq/cli@latest` ... `npx @membranehq/cli@latest` ... `If no app is found, one is created and a connector is built automatically.`
The skill depends on an unpinned latest npm package and can rely on automatically built connectors, creating supply-chain and provenance ambiguity.
Install the Membrane CLI so you can run `membrane` from the terminal: `npm install -g @membranehq/cli@latest`
The skill is instruction-only but asks the user or agent to install and run an external CLI. This is aligned with the integration purpose, but it executes package code locally.
Papyrs is a web-based intranet and knowledge management system ... used by teams and organizations ... `HTTP method (GET, POST, PUT, PATCH, DELETE)`
The skill can issue mutating requests against a shared team/organization knowledge system, but does not define containment, undo, or review requirements.
**Always prefer Membrane to talk with external apps** ... `make communication more secure`
The skill makes a broad security-benefit claim for Membrane without describing specific limits or residual risks. This appears promotional rather than deceptive, but users should not treat it as a security guarantee.
Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.
Membrane handles authentication and credentials refresh automatically ... `membrane login --tenant --clientName=<agentType>`
The skill relies on delegated authentication and automatic credential refresh for a Membrane tenant and Papyrs connection, but the artifact does not define least-privilege scopes, duration, or revocation guidance.
Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.
you can send requests directly to the Papyrs API through Membrane's proxy ... injects the correct authentication headers
Papyrs API traffic and authentication are mediated by the Membrane gateway. This is disclosed and purpose-aligned, but users should recognize the third-party proxy boundary.