Lusha
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: lusha Version: 1.0.4 The skill bundle provides a legitimate integration for Lusha using the Membrane CLI. It contains instructions for the AI agent to manage B2B contact data, handle authentication via OAuth/Device flows, and execute actions through the 'membrane' command-line tool. No evidence of malicious intent, data exfiltration, or harmful prompt injection was found; the instructions prioritize secure credential management through the third-party Membrane platform.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the CLI gives code from that npm package local execution capability on the user's machine.
The setup installs a remote npm CLI globally and tracks the latest release rather than a pinned version. This is central to the skill's stated Membrane workflow, but users should trust the package source before installing.
npm install -g @membranehq/cli@latest
Install the CLI only from the expected npm publisher, consider pinning a reviewed version, and keep it updated through normal package-management practices.
The connected Membrane/Lusha account can be used to access Lusha data and perform available Lusha actions.
The skill requires delegated account authentication and ongoing credential refresh through Membrane. This is expected for a Lusha integration, but it is sensitive authority.
Membrane handles authentication and credentials refresh automatically ... membrane login --tenant --clientName=<agentType>
Authenticate only the intended account, review what Lusha permissions are granted, and revoke the connection when it is no longer needed.
Business contact data and account interaction details may pass through Membrane while using the skill.
The integration routes Lusha interaction through Membrane as an external gateway. This is disclosed and purpose-aligned, but users should recognize that contact/company queries and results flow through that integration path.
This skill uses the Membrane CLI to interact with Lusha.
Use the skill only for data you are comfortable processing through Membrane and Lusha, and follow your organization's rules for handling contact data.
A setup response could guide the agent's next steps during connection handling.
The skill allows connection responses to include programmatic instructions for the agent. This is part of the disclosed setup flow, but such instructions should stay limited to the user's requested Lusha connection task.
clientAction.agentInstructions (optional) — instructions for the AI agent on how to proceed programmatically.
Treat returned agent instructions as lower-priority setup guidance and keep actions bounded to the user's explicit Lusha request.