v1.0.6

Capsule Crm

ReviewClawScan verdict for this skill. Analyzed Apr 30, 2026, 3:18 PM.

Analysis

This Capsule CRM skill is purpose-aligned, but it relies on unpinned external CLI execution and grants broad CRM/OAuth authority for creating, updating, and deleting records without clear approval or scope limits.

GuidanceInstall only if you are comfortable using Membrane as a gateway to Capsule CRM. Pin and verify the Membrane CLI before installing it, use a least-privilege Capsule account, and require explicit confirmation before any create, update, or delete action.

Findings (7)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agent Goal Hijack

SeverityLowConfidenceHighStatusNote

SKILL.md

`clientAction.agentInstructions` (optional) — instructions for the AI agent on how to proceed programmatically.

The skill tells the agent that external connection responses may contain agent-directed instructions, which should not be treated as higher authority than the user's request.

User impactA tool response during setup could steer the agent's next steps if treated as authoritative.

RecommendationTreat returned agent instructions as untrusted operational hints and follow them only when they are consistent with the user's explicit request and safety boundaries.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

SKILL.md

| Delete Project | delete-project | Delete a project from Capsule CRM |
| Delete Task | delete-task | Delete a task from Capsule CRM |

The skill exposes destructive CRM actions but does not specify explicit confirmation, scope checks, or reversibility before running them.

User impactThe agent could delete or modify CRM records if it selects or runs the wrong action.

RecommendationRequire explicit user confirmation for every create, update, or delete action, including the target record IDs and a summary of the exact change.

Agentic Supply Chain Vulnerabilities

SeverityMediumConfidenceHighStatusConcern

SKILL.md

npm install -g @membranehq/cli@latest

The skill instructs a global install of the latest npm package version, which is unpinned and can change outside the reviewed artifact.

User impactA future or compromised package release could alter what code runs locally when following the skill instructions.

RecommendationPin the CLI to a reviewed version, install it in an isolated environment, and verify the package source before use.

Unexpected Code Execution

SeverityLowConfidenceHighStatusNote

SKILL.md

npx @membranehq/cli connection get <id> --wait --json

Even though the skill has no bundled code, its workflow runs an external CLI through shell commands, which is expected for this integration but still executes local code.

User impactUsing the skill can run third-party CLI code on the user's machine.

RecommendationRun the CLI only from a trusted package source, prefer pinned versions, and avoid using it from highly privileged shells.

Cascading Failures

SeverityMediumConfidenceHighStatusConcern

SKILL.md

| Create Opportunity | create-opportunity | Create a new opportunity in Capsule CRM |
| Update Opportunity | update-opportunity | Update an existing opportunity in Capsule CRM |

The skill can change shared CRM sales records and workflows, but the instructions do not describe containment such as dry-runs, staging, backups, or approval gates.

User impactOne mistaken agent action could propagate incorrect or unwanted changes across shared sales workflows.

RecommendationStart with read-only actions, require approvals for mutations, and keep audit logs or backups for CRM changes.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceHighStatusConcern

SKILL.md

Membrane handles authentication and credentials refresh automatically

The skill delegates Capsule CRM authentication and token refresh to Membrane, giving it ongoing account authority, but the instructions do not bound scopes, retention, or revocation.

User impactA connected account may grant broad access to CRM contacts, opportunities, tasks, and other business records.

RecommendationUse the least-privileged Capsule CRM account possible, review granted OAuth scopes, and revoke the Membrane connection when no longer needed.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityLowConfidenceHighStatusNote

SKILL.md

This skill uses the Membrane CLI to interact with Capsule CRM. Membrane handles authentication and credentials refresh automatically

Capsule CRM data and authentication are mediated through Membrane as an external provider/gateway, so users should understand that boundary.

User impactCRM data and account access may pass through Membrane rather than only between the user and Capsule CRM.

RecommendationReview Membrane's data handling, connector behavior, and account permissions before connecting sensitive CRM data.