Asknicely
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This AskNicely connector is mostly coherent, but it gives an agent broad AskNicely action and API-proxy power, including permanent bulk deletions, without clear approval guardrails in the provided artifact.
Install only if you trust Membrane and need an AskNicely automation connector. Before using it, pin or verify the CLI package if possible, authenticate with limited privileges, and require explicit confirmation before any delete, bulk, send-survey, or direct API-proxy operation.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or overly autonomous action could permanently delete customer data, change records, or trigger surveys from the user's AskNicely account.
The skill documents generic execution of AskNicely actions and a raw API-proxy fallback while listing permanent/bulk deletion as an available action; the provided artifact does not show explicit confirmation or scoping safeguards for these high-impact mutations.
Popular actions include "Bulk Delete Contacts (GDPR) ... Permanently delete all personal data for multiple contacts" and running actions with `membrane action run <actionId> --connectionId=CONNECTION_ID --json`; proxy requests allow sending requests directly to the AskNicely API through Membrane's proxy.
Require explicit user confirmation, exact target identifiers, and a preview/dry-run for delete, bulk, send-survey, or proxy API operations; avoid direct proxy calls unless the user specifically requests them.
The Membrane connection may retain access to the user's AskNicely account and act with the permissions granted during authentication.
The skill requires delegated authentication through Membrane and automatic credential refresh, which is expected for the integration but grants persistent account access.
This skill uses the Membrane CLI to interact with AskNicely. Membrane handles authentication and credentials refresh automatically ... `membrane login --tenant --clientName=<agentType>`
Authenticate with the least-privileged AskNicely account possible, review granted scopes, and revoke the Membrane connection when it is no longer needed.
The installed CLI version could change over time, and the user must trust the npm package and its update path.
The skill asks the user to install a global CLI package from npm using the moving @latest tag. This is central to the stated purpose, but it means the reviewed artifact does not pin the exact CLI code that will run.
`npm install -g @membranehq/cli@latest`
Install only from the official Membrane package, consider pinning a known version, and review the package source or provenance before use.
Customer experience data and API requests may be processed by Membrane in addition to AskNicely.
AskNicely requests and potentially customer/contact/survey data are routed through Membrane as a gateway. This is disclosed and purpose-aligned, but it is a sensitive third-party data flow.
When the available actions don't cover your use case, you can send requests directly to the AskNicely API through Membrane's proxy.
Review Membrane's data handling terms, avoid sending unnecessary sensitive data, and restrict proxy use to user-approved tasks.