Hunter
ReviewAudited by ClawScan on May 10, 2026.
Overview
This appears to be a legitimate Hunter/Membrane integration, but it gives the agent broad authenticated API access through a proxy, so review permissions before using it.
Install only if you trust Membrane and the npm CLI package. Use a limited Hunter account or connection, prefer the listed actions, and explicitly approve any direct or mutating API request before the agent runs it.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent is prompted incorrectly or misled, it could make broad Hunter API requests, including possible account or data changes if supported by the API.
This gives the agent a raw authenticated API path outside the listed action schemas, without visible method, endpoint, or confirmation limits.
When the available actions don't cover your use case, you can send requests directly to the Hunter API through Membrane's proxy... membrane request CONNECTION_ID /path/to/endpoint
Prefer reviewed listed actions, require explicit user confirmation before any mutating request, and restrict the Hunter/Membrane connection to the minimum permissions needed.
The agent can access Hunter data through the authenticated Membrane connection.
The skill uses delegated account credentials and refresh behavior. This is expected for a Hunter integration, but users should understand the account authority being granted.
Membrane handles authentication and credentials refresh automatically
Use a least-privilege Hunter account or connection, review the Membrane authorization screen, and revoke the connection when it is no longer needed.
Installing the CLI runs third-party code on the user's machine and future installs may resolve to a different version.
The setup installs a global CLI from npm using the moving latest tag. This is purpose-aligned, but it introduces normal package provenance and version drift risk.
npm install -g @membranehq/cli@latest
Install only from a trusted environment, consider pinning a reviewed CLI version, and verify the package source.
Hunter request data and related authentication handling may pass through Membrane infrastructure.
Hunter API traffic and authentication are mediated by Membrane. This is disclosed and expected, but the visible artifact does not further describe data handling boundaries.
send requests directly to the Hunter API through Membrane's proxy. Membrane automatically appends the base URL to the path you provide and injects the correct authentication headers
Review Membrane's privacy and security terms, and avoid sending sensitive data beyond what is necessary for the requested Hunter task.