v1.0.4

Volvo Aemp

ReviewClawScan verdict for this skill. Analyzed Apr 30, 2026, 6:01 PM.

Analysis

This skill is a plausible Volvo AEMP integration, but it asks you to install an unpinned global CLI and delegate persistent Volvo/Membrane credential access, so it deserves review before use.

GuidanceBefore installing, verify that you trust Membrane and the npm package source, prefer a pinned CLI version instead of '@latest', use a least-privilege Volvo AEMP account, explicitly approve any connection/app/connector creation, and know how to revoke the Membrane/Volvo connection when finished.

Findings (9)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agent Goal Hijack

SeverityLowConfidenceHighStatusNote

SKILL.md

`clientAction.agentInstructions` (optional) — instructions for the AI agent on how to proceed programmatically.

The skill tells the agent to consume instructions returned by an external service. This is purpose-aligned for setup, but those instructions should not become more authoritative than the user’s request.

User impactThe agent may receive dynamic setup directions from Membrane, which could influence what it does next.

RecommendationTreat returned agent instructions as untrusted operational hints; confirm they are limited to the Volvo AEMP setup task before following them.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

SKILL.md

If no app is found, one is created and a connector is built automatically.

The Membrane CLI workflow can mutate the user’s Membrane account by creating apps/connectors automatically, but the artifact does not define confirmation, scope, rollback, or containment requirements.

User impactA mistaken or overly broad connection command could create persistent account objects or connectors the user did not intend.

RecommendationRequire explicit user confirmation before creating Membrane connections, apps, or connectors, and verify the target Volvo domain and account.

Agentic Supply Chain Vulnerabilities

SeverityMediumConfidenceHighStatusConcern

SKILL.md

npm install -g @membranehq/cli@latest

The skill instructs a global install of the latest CLI package rather than a pinned version, increasing supply-chain and reproducibility risk.

User impactThe installed CLI version may change over time, and a compromised or breaking package release would affect the user’s environment.

RecommendationPin a reviewed CLI version, avoid global installs where possible, and verify the package source before installation.

Unexpected Code Execution

SeverityMediumConfidenceHighStatusConcern

SKILL.md

npx @membranehq/cli connection get <id> --wait --json

The skill can execute an external npm package through npx during use. This is visible and purpose-related, but it is still downloaded/executed tooling outside the instruction-only artifact.

User impactUsing the skill may run external package code on the local machine or agent environment.

RecommendationPrefer a pinned, preinstalled Membrane CLI and require user approval before running npm/npx commands.

Cascading Failures

SeverityLowConfidenceHighStatusNote

SKILL.md

If no app is found, one is created and a connector is built automatically.

A single wrong domain or connection setup action may create persistent Membrane account state, which could carry forward beyond the immediate request.

User impactSetup mistakes could persist as unwanted connections or connectors.

RecommendationConfirm the target app/domain before connection creation and clean up unused connections after testing.

Human-Agent Trust Exploitation

SeverityInfoConfidenceMediumStatusNote

SKILL.md

Membrane handles authentication and credentials refresh automatically — so you can focus on the integration logic rather than auth plumbing.

The wording emphasizes convenience while the same behavior involves persistent credential handling. It is not necessarily deceptive, but users should notice the tradeoff.

User impactA user may underestimate that credential refresh means continuing delegated access.

RecommendationMake the persistence and revocation implications explicit before asking a user to authenticate.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceHighStatusConcern

SKILL.md

Membrane handles authentication and credentials refresh automatically

The skill delegates authentication and refresh of credentials to Membrane, implying persistent authority over a third-party Volvo AEMP account without clearly stated scopes, least-privilege guidance, or revocation steps.

User impactMembrane may retain access needed to query or manage Volvo AEMP data beyond a single chat session.

RecommendationUse a least-privilege Volvo/Membrane account, review requested OAuth/API scopes, and revoke the connection when it is no longer needed.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityLowConfidenceHighStatusNote

SKILL.md

`clientAction.agentInstructions` (optional) — instructions for the AI agent on how to proceed programmatically.

The agent may ingest externally supplied instructions as context. This can be useful for setup but should be bounded so it cannot poison the agent’s broader task context.

User impactExternal setup text could influence the agent’s next steps if it is not treated carefully.

RecommendationKeep external action descriptions and agent instructions scoped to the current connection workflow and do not reuse them as persistent policy.

Insecure Inter-Agent Communication

SeverityMediumConfidenceHighStatusNote

SKILL.md

This skill uses the Membrane CLI to interact with Volvo AEMP. Membrane handles authentication and credentials refresh automatically

A third-party provider mediates the connection between the agent and Volvo AEMP. That is disclosed and purpose-aligned, but the artifact does not describe detailed data-boundary, identity, or permission controls.

User impactVolvo AEMP authentication and integration data may pass through or be managed by Membrane.

RecommendationReview Membrane’s security/privacy terms and only connect accounts whose data you are comfortable routing through the provider.