ClawHub
Back to skill
v1.0.1

Stammerai

ReviewClawScan verdict for this skill. Analyzed Apr 30, 2026, 5:48 PM.

Analysis

Stammerai appears purpose-related, but it asks the agent to run an unpinned remote CLI, create persistent account credentials, and make broad authenticated proxy requests that are not clearly bounded.

GuidanceUse this skill only if you trust Membrane and are comfortable authenticating a Stammer.ai connection through it. Before using it, prefer a pinned Membrane CLI version, use a least-privileged account, require confirmation for any modifying or deleting request, avoid full-URL proxy calls unless necessary, and remove or revoke `~/.membrane/credentials.json` when finished.

Findings (8)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityHighConfidenceHighStatusConcern
SKILL.md
`npx @membranehq/cli@latest request CONNECTION_ID /path/to/endpoint` ... `HTTP method (GET, POST, PUT, PATCH, DELETE)` ... `You can also pass a full URL instead of a relative path — Membrane will use it as-is.`

The skill exposes a broad authenticated request tool, including destructive methods, custom request data, and arbitrary full URLs, without documented confirmation or containment rules.

User impactA mistaken or overbroad agent action could modify or delete Stammer.ai data, or send authenticated requests somewhere unintended.
RecommendationLimit proxy use to documented Stammer.ai relative paths, require explicit user approval for POST/PUT/PATCH/DELETE and full-URL requests, and prefer narrowly scoped prebuilt actions.
Agentic Supply Chain Vulnerabilities
SeverityHighConfidenceHighStatusConcern
SKILL.md
`This skill uses the Membrane CLI (npx @membranehq/cli@latest) to interact with Stammer.ai.`

The runtime dependency is fetched with `@latest`, so the executable code can change over time and is not pinned or captured by an install spec.

User impactA future or compromised CLI release could change what runs locally when the skill is used.
RecommendationPin the CLI to a reviewed version, declare it in an install spec or requirements, and provide provenance for the dependency.
Unexpected Code Execution
SeverityLowConfidenceHighStatusNote
SKILL.md
`npx @membranehq/cli@latest login --tenant`

The skill is instruction-only but tells the agent to execute an external CLI via `npx`; this is purpose-aligned for Membrane integration but still runs code in the user's environment.

User impactUsing the skill can execute downloaded CLI code with the user's local permissions.
RecommendationOnly run the command if you trust the Membrane CLI source, and prefer a pinned reviewed version.
Cascading Failures
SeverityMediumConfidenceHighStatusConcern
SKILL.md
`HTTP method (GET, POST, PUT, PATCH, DELETE). Defaults to GET`

The skill allows state-changing and destructive API methods against an external account without stated rollback, dry-run, or approval requirements.

User impactA single wrong parameter or endpoint could propagate into external Stammer.ai data changes, including updates or deletions affecting an organization or project.
RecommendationRequire explicit confirmation for destructive changes, review target IDs and payloads before execution, and use read-only discovery first.
Human-Agent Trust Exploitation
SeverityMediumConfidenceHighStatusConcern
SKILL.md
`credentials are stored in ~/.membrane/credentials.json` ... `Membrane manages the full Auth lifecycle server-side with no local secrets.`

The claim of `no local secrets` is potentially misleading because the same instructions say local credentials are stored and reused.

User impactUsers may underestimate the local credential exposure and persistence created by the setup flow.
RecommendationClarify that Membrane credentials are stored locally, explain what they grant access to, and provide logout/removal instructions.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityHighConfidenceHighStatusConcern
SKILL.md
`npx @membranehq/cli@latest login --tenant` ... `credentials are stored in ~/.membrane/credentials.json and reused for all future commands.`

The skill requires tenant-level Membrane authentication and persistent local credentials, while the supplied requirements declare no primary credential or required config path.

User impactInstalling or using the skill can give the agent reusable access to a Membrane-authenticated Stammer.ai connection beyond a single request.
RecommendationUse the least-privileged Membrane/Stammer.ai account available, document the credential requirement, and clear or revoke the Membrane credentials when the integration is no longer needed.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning
SeverityMediumConfidenceHighStatusConcern
SKILL.md
`credentials are stored in ~/.membrane/credentials.json and reused for all future commands.`

The skill creates persistent local authentication state that can be reused across future tasks, but the registry does not declare a required config path or credential.

User impactFuture agent sessions on the same environment may reuse the stored Membrane credentials unless they are cleared or revoked.
RecommendationTreat `~/.membrane/credentials.json` as sensitive, avoid shared environments, and remove or revoke credentials after use if persistence is not desired.
Insecure Inter-Agent Communication
SeverityHighConfidenceHighStatusConcern
SKILL.md
`Membrane ... injects the correct authentication headers` ... `You can also pass a full URL instead of a relative path — Membrane will use it as-is.`

The skill routes requests through a third-party proxy/gateway and allows full URLs, making the destination and authentication-header boundary unclear from the artifact.

User impactSensitive request data or authenticated traffic could be routed through Membrane or to unintended endpoints if the agent uses the proxy broadly.
RecommendationRestrict proxy requests to relative Stammer.ai API paths, document what data Membrane receives, and require user confirmation before sending data to any full URL.