Comeet
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This looks like a legitimate Comeet integration, but it gives the agent broad authenticated access to run direct Comeet API requests, including write and delete operations, without clear guardrails.
Install only if you are comfortable giving Membrane authenticated access to Comeet. Review every direct API request, especially write or delete operations, use least-privileged credentials, and verify or pin the Membrane CLI before installing it globally.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or overbroad request could change or delete Comeet recruiting records such as jobs, candidates, tasks, or templates.
The skill gives the agent a broad authenticated API escape hatch, including destructive HTTP methods, without clear in-skill approval or scoping rules.
When the available actions don't cover your use case, you can send requests directly to the Comeet API through Membrane's proxy... HTTP method (GET, POST, PUT, PATCH, DELETE).
Require explicit user confirmation before POST, PUT, PATCH, or DELETE requests; prefer listed Membrane actions; and review endpoint, method, and payload before running direct proxy calls.
The agent may be able to access or modify Comeet data according to the connected account's permissions.
The skill relies on delegated Membrane/Comeet authentication, which is expected for the integration but gives the agent account-level access through the connected service.
Membrane handles authentication and credentials refresh automatically
Use the least-privileged Comeet account or connection available, review granted access, and revoke the Membrane connection when it is no longer needed.
Installing the CLI adds executable software to the local environment, and @latest may change over time.
The skill directs installation of a globally available CLI from npm using the moving @latest tag; this is purpose-aligned but depends on external package provenance and future package changes.
npm install -g @membranehq/cli@latest
Install only from the trusted Membrane package source, consider pinning a reviewed CLI version, and avoid running the CLI with unnecessary elevated privileges.