Nasdaq Data Link
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a coherent Nasdaq Data Link integration, but it grants Membrane/Nasdaq account access and can proxy API requests, so users should review the requested access before use.
Before installing, confirm you trust Membrane and want this agent to access your Nasdaq Data Link account. Prefer read-only or least-privileged access where possible, pin or review the Membrane CLI package, and require confirmation before any action that creates, changes, or deletes data.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the CLI may run code that was not reviewed here and may change over time.
The skill asks the user or agent to install an external CLI globally using the moving @latest tag. This is central to the integration, but the executable code is not part of the reviewed artifact.
npm install -g @membranehq/cli@latest
Install only from the trusted Membrane/npm source, consider pinning a specific CLI version, and review the package before using it with account credentials.
The agent may be able to access Nasdaq Data Link data through the authenticated Membrane connection.
The skill requires Membrane account login and a Nasdaq Data Link connection. This is expected for the service integration, but it grants delegated account access.
membrane login --tenant --clientName=<agentType> ... The user completes authentication in the browser.
Use the least-privileged Nasdaq/Membrane account available, verify the connection target is data.nasdaq.com, and revoke the connection when it is no longer needed.
If used carelessly, the agent could modify or delete data through the authenticated Nasdaq API.
The documented proxy can issue broad direct API requests, including mutating methods. This is disclosed and aligned with an integration skill, but it bypasses narrower pre-built actions.
you can send requests directly to the Nasdaq Data Link API through Membrane's proxy ... HTTP method (GET, POST, PUT, PATCH, DELETE)
Require explicit user confirmation before POST, PUT, PATCH, or DELETE requests, and prefer discovered Membrane actions when they cover the task.
Nasdaq request paths, bodies, and delegated authentication flow through a third-party integration service.
The skill routes Nasdaq API requests through Membrane as a gateway that handles authentication. This is disclosed and purpose-aligned, but it means request data and credential handling depend on Membrane.
Membrane automatically appends the base URL to the path you provide and injects the correct authentication headers — including transparent credential refresh
Use this only if you trust Membrane for this account, and avoid sending unnecessary sensitive data in request bodies or headers.
A remote setup response could influence what the agent does next during connection handling.
The skill may consume remote instructions returned during connection setup. This is presented as connection guidance, but external instructions should not override the user’s goal or safety checks.
clientAction.agentInstructions (optional) — instructions for the AI agent on how to proceed programmatically
Treat returned agentInstructions as advisory setup information and keep user intent, domain scope, and approval requirements authoritative.