Meetingpulse
Security checks across malware telemetry and agentic risk
Overview
This is a coherent MeetingPulse integration, but it gives the agent broad authenticated API access, including write/delete proxy requests, without visible approval guardrails.
Install this only if you trust Membrane and are comfortable connecting your MeetingPulse account. Before using it, set a rule that the agent must ask before creating, updating, deleting, or proxying requests that affect MeetingPulse organizations or other account data.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent chooses the wrong action or endpoint, it could modify or delete MeetingPulse data under the user's authorized account.
This gives the agent a broad authenticated API escape hatch, including write and delete methods, without visible scoping or confirmation requirements for destructive or account-changing actions.
When the available actions don't cover your use case, you can send requests directly to the MeetingPulse API through Membrane's proxy... injects the correct authentication headers... HTTP method (GET, POST, PUT, PATCH, DELETE).
Require explicit user approval before any non-read action or proxy request, prefer scoped pre-built actions, and document which MeetingPulse resources may be changed.
The agent may act using the user's connected MeetingPulse/Membrane account until access is revoked or expires.
The skill requires delegated authentication and ongoing credential refresh, which is expected for a MeetingPulse integration but gives the agent account-level authority through Membrane.
Membrane handles authentication and credentials refresh automatically... membrane login --tenant --clientName=<agentType>
Use the least-privileged account available, review what access the MeetingPulse connection grants, and revoke the connection when no longer needed.
Installing a global latest-version CLI runs code supplied outside this skill package.
The setup uses a globally installed latest-version npm package. This is central to the skill's purpose, but users should trust the package source and understand that the reviewed artifact does not include the CLI code.
npm install -g @membranehq/cli@latest
Install the CLI only from the official Membrane/npm source, consider pinning a known version, and avoid installing it in sensitive environments unless trusted.
A remote connection response could influence what the agent does during setup or recovery flows.
The skill may consume remote service-provided instructions for the agent. This is part of the Membrane workflow, but such instructions should not override the user's goal or higher-priority safety rules.
clientAction.agentInstructions (optional) — instructions for the AI agent on how to proceed programmatically.
Treat returned agent instructions as untrusted operational hints, follow them only when they match the user's request, and ask the user before sensitive actions.
MeetingPulse API requests and responses may pass through Membrane infrastructure as part of the integration.
MeetingPulse requests and authentication are mediated through Membrane as a gateway. This is disclosed and purpose-aligned, but users should understand the data and credential boundary.
send requests directly to the MeetingPulse API through Membrane's proxy... injects the correct authentication headers — including transparent credential refresh
Review Membrane's access, logging, and privacy terms before connecting sensitive MeetingPulse data.