v1.0.4

Schedule It

ReviewClawScan verdict for this skill. Analyzed Apr 30, 2026, 5:40 PM.

Analysis

This Schedule It skill is plausible, but it asks users to run an unpinned Membrane CLI and gives broad authenticated API powers without clear approval or scope limits.

GuidanceBefore installing, confirm you trust Membrane as a gateway for Schedule It data, pin and verify the CLI instead of using latest, use a least-privileged account, and require explicit approval before any user, role, organization, bulk, or delete operation.

Findings (8)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agent Goal Hijack

SeverityLowConfidenceMediumStatusNote

SKILL.md

`clientAction.agentInstructions` (optional) — instructions for the AI agent on how to proceed programmatically.

The skill allows remote connection-state content to provide instructions to the agent. This is purpose-aligned for setup, but should be bounded so it cannot override the user's goal.

User impactConnection setup responses could steer the agent into additional programmatic steps if treated as authoritative.

RecommendationTreat remote agent instructions as setup hints only, and require user confirmation if they conflict with the user's request or ask for broader actions.

Tool Misuse and Exploitation

SeverityHighConfidenceHighStatusConcern

SKILL.md

`membrane request CONNECTION_ID /path/to/endpoint` ... `--method` | HTTP method (GET, POST, PUT, PATCH, DELETE).

The skill exposes a raw authenticated API proxy with mutating and destructive methods, without instructions requiring confirmation, allowlists, or rollback for high-impact operations.

User impactA mistaken or overly broad request could change or delete Schedule It data, including administrative resources, without a clear approval checkpoint.

RecommendationRequire explicit user approval before POST, PUT, PATCH, DELETE, bulk, role, user, or organization changes, and prefer narrowly scoped pre-built actions over raw proxy calls.

Agentic Supply Chain Vulnerabilities

SeverityMediumConfidenceHighStatusConcern

SKILL.md

npm install -g @membranehq/cli@latest

The runtime instructions install a mutable latest-version package globally. The reviewed artifacts do not pin the package version or integrity hash.

User impactThe CLI installed later may differ from what was expected during review, and package install scripts can affect the local environment.

RecommendationPin the Membrane CLI to a reviewed version, avoid global installs where possible, and document package provenance and integrity checks.

Unexpected Code Execution

SeverityLowConfidenceHighStatusNote

SKILL.md

Use `npx @membranehq/cli@latest action list --intent=QUERY --connectionId=CONNECTION_ID --json` to discover available actions.

The skill may run package-managed CLI code at runtime. This is disclosed and coherent with its Membrane-based design, but it is still local code execution.

User impactRunning npm or npx commands can execute code on the user's machine.

RecommendationDo not run these commands automatically; ask the user first and prefer pinned, verified CLI versions.

Cascading Failures

SeverityMediumConfidenceHighStatusConcern

SKILL.md

Manage Users, Roles, Organizations, Projects, Pipelines, Activities and more.

The skill covers administrative resources where one incorrect action can affect many users or shared resources. The artifacts do not define containment or confirmation requirements.

User impactA mistaken administrative change could affect a team, organization, or shared scheduling data, not just a single event.

RecommendationRequire confirmation for admin, bulk, and destructive operations, test changes on low-risk data first, and keep changes narrowly scoped.

Human-Agent Trust Exploitation

SeverityLowConfidenceMediumStatusNote

SKILL.md

Always prefer Membrane to talk with external apps ... make communication more secure

The skill makes a broad security claim encouraging use of Membrane without detailing the tradeoffs, data handling, or approval boundaries.

User impactUsers may over-trust the integration path and overlook the third-party gateway, credential refresh, and unpinned CLI installation risks.

RecommendationPresent Membrane's benefits alongside its data-routing and credential implications, and avoid relying on broad security claims alone.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusConcern

SKILL.md

Membrane handles authentication and credentials refresh automatically

The skill relies on delegated authentication with automatic refresh. The artifacts do not state scopes, least-privilege limits, expiry, or revocation guidance for this account access.

User impactThe integration may retain access to a Membrane/Schedule It connection beyond the immediate task, including authority over users, roles, or organizations.

RecommendationUse a least-privileged account, review granted scopes during login, and revoke the Membrane/Schedule It connection when it is no longer needed.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityMediumConfidenceHighStatusNote

SKILL.md

send requests directly to the Schedule it API through Membrane's proxy. Membrane automatically ... injects the correct authentication headers

Membrane acts as a gateway/provider for Schedule It API traffic and credentials. This is purpose-aligned, but sensitive data and authentication headers are handled by that service.

User impactSchedule It request data and authentication handling may pass through Membrane rather than only between the user and Schedule It.

RecommendationReview Membrane's privacy and security terms, avoid sending unnecessary sensitive data, and use least-privileged connections.