Placekey
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent Placekey integration, but it requires installing the Membrane CLI, logging into Membrane, and may make authenticated Placekey API requests on the user’s behalf.
Before installing, make sure you trust Membrane and are comfortable connecting your Placekey account through it. Use the scoped action workflow when possible, and only allow direct proxy requests—especially write or delete requests—when you clearly intend them.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the CLI gives code from the npm package the ability to run on the user’s machine.
The skill asks the user to install a global CLI from npm using the moving `latest` tag. This is user-directed and central to the skill, but users should be aware it depends on external package provenance.
npm install -g @membranehq/cli@latest
Install only if you trust Membrane and the npm package source; consider pinning a known CLI version in managed environments.
The agent may be able to use the connected Placekey account through Membrane until the connection is revoked or expires.
The skill uses Membrane to manage authentication and refreshed credentials for Placekey access. This is expected for the integration, but it delegates account access to the Membrane connection.
Membrane handles authentication and credentials refresh automatically
Connect only the intended account, use the least-privileged access available, and revoke the Membrane/Placekey connection when no longer needed.
If used carelessly, the agent could make unintended authenticated changes or deletions through the Placekey API.
The skill documents a broad authenticated API proxy that can use mutating HTTP methods. This is disclosed and purpose-aligned, but it bypasses more scoped pre-built actions.
you can send requests directly to the Placekey API through Membrane's proxy ... HTTP method (GET, POST, PUT, PATCH, DELETE)
Prefer listed Membrane actions when possible and require explicit user confirmation before POST, PUT, PATCH, or DELETE requests.
Request paths, parameters, and bodies may be processed by Membrane before reaching Placekey.
The documented data path routes API requests through Membrane as an intermediary. This is disclosed and normal for this skill, but users should understand where request data is sent.
send requests directly to the Placekey API through Membrane's proxy
Avoid sending unnecessary sensitive data through proxy requests and review Membrane’s privacy/security posture for your use case.