Proxycurl
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: proxycurl Version: 1.0.2 The proxycurl skill bundle provides instructions for an AI agent to interact with the Proxycurl API via the Membrane platform. It utilizes the legitimate '@membranehq/cli' tool for authentication and API request management. The instructions in SKILL.md are well-documented, focusing on standard integration tasks such as connection management and action execution without any signs of malicious intent, data exfiltration, or prompt injection attacks.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing a global CLI gives that package code execution on the user's machine during installation and use.
The skill instructs users to install a global CLI package, and later references npx @membranehq/cli@latest. This is central to the stated Membrane integration, but users should verify the package and source before installing.
npm install -g @membranehq/cli
Install only from the expected npm package, review the package provenance if needed, and avoid running the CLI from an untrusted environment.
Requests made through the skill may use the user's connected Proxycurl/Membrane account and may consume account credits or access account-scoped data.
The skill relies on Membrane-managed authentication and credential refresh for the user's Proxycurl connection. This is expected for the integration, but it means actions run with the authority of that connected account.
Membrane handles authentication and credentials refresh automatically
Connect only the intended account or tenant, and review high-volume or account-affecting actions before allowing them.
If used carelessly, raw requests could call unintended endpoints, consume credits, or perform account-affecting operations supported by the API.
The skill documents a raw proxy request fallback, including HTTP methods such as GET, POST, PUT, PATCH, and DELETE, with authentication headers injected by Membrane. This is a broad but disclosed API escape hatch for cases where pre-built actions do not cover the user request.
membrane request CONNECTION_ID /path/to/endpoint
Prefer listed Membrane actions when available, and require clear user intent before using raw requests, especially for non-GET methods or high-volume lookups.
The skill may retrieve or process personal profile, email, and phone information from an external provider.
The skill can query third-party personal or professional contact data through Proxycurl via Membrane. This is aligned with the stated Proxycurl purpose, but users should treat those provider data flows as sensitive.
Email Lookup API — Look up an email address. Phone Number Lookup API — Look up a phone number.
Use the integration only for appropriate, authorized enrichment tasks and avoid submitting or storing unnecessary personal data.