Gryd
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is not clearly malicious, but its stated purpose is inconsistent and it gives the agent broad authenticated access to make Gryd API changes with limited guardrails.
Before installing or using this skill, confirm that it is the correct Gryd integration for your use case, install the Membrane CLI only from a trusted source, and require explicit approval before the agent performs any create, update, or delete API request.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may authorize or run the skill expecting one kind of Gryd workflow while the agent is guided toward unrelated API actions.
The skill's domain explanation and listed actions point to different kinds of data, making it unclear what the integration is actually intended to manage.
Gryd is a platform used by real estate professionals... Popular actions: Get Vehicle ULEZ Data, Get Vehicle MOT Data, Get Vehicle Data, Get Vehicle DVLA Data
Clarify the actual Gryd product, supported data types, and intended actions before granting access or using the skill for account changes.
If used carelessly, the agent could modify or delete remote Gryd account data through the connected account.
The skill exposes a raw authenticated API proxy, including mutating and deleting methods, without documenting approval requirements or bounds on which endpoints may be used.
membrane request CONNECTION_ID /path/to/endpoint ... `-X, --method` | HTTP method (GET, POST, PUT, PATCH, DELETE)
Require explicit user confirmation for POST, PUT, PATCH, and DELETE requests, prefer listed Membrane actions, and document endpoint/path limits.
The agent can act through the user's connected Gryd account once authentication is complete.
The skill requires delegated Membrane/Gryd authentication and automatic credential handling, which is expected but grants account-level authority.
membrane login --tenant ... Membrane handles authentication and credentials refresh automatically ... injects the correct authentication headers
Connect only the intended account, review granted scopes if available, and revoke the connection when it is no longer needed.
Installing a global CLI can affect the local environment and executes code from the npm package source.
The skill asks the user to install a global npm CLI package. This is central to the integration, but it depends on trusting that external package and version resolution.
npm install -g @membranehq/cli
Install the CLI only from the official package source, consider pinning a known version, and keep it updated.
Request contents and responses may pass through Membrane and Gryd rather than staying local.
The skill discloses that API calls are routed through Membrane as a proxy to Gryd, creating an external service data flow.
send requests directly to the Gryd API through Membrane's proxy
Avoid sending unnecessary sensitive data and confirm that Membrane/Gryd are acceptable processors for the data involved.