Replyio
Analysis
This looks like a real Reply.io integration, but it gives the agent broad credentialed API power and asks it to install unpinned remote CLI code without clear safety limits.
Findings (9)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.
`clientAction.agentInstructions` (optional) — instructions for the AI agent on how to proceed programmatically.
The skill allows dynamic instructions returned by the external connection flow to guide the agent. This is purpose-aligned for setup, but it gives retrieved content some authority over next steps.
Proxy requests... `-X, --method` | HTTP method (GET, POST, PUT, PATCH, DELETE).
The skill authorizes direct authenticated API proxy calls, including mutating and deleting methods, without artifact-level approval, endpoint, record, or bulk-operation limits.
npm install -g @membranehq/cli@latest
The skill instructs installation of a globally available npm package using the moving `@latest` tag, so the installed code is not pinned to a reviewed version.
Use `npx @membranehq/cli@latest action list --intent=QUERY --connectionId=CONNECTION_ID --json`
The instruction-only skill tells the agent to execute remote npm CLI code via `npx @latest`, which can download and run code outside the reviewed artifact set.
Manage Persons, Organizations, Leads, Activities, Notes, Files and more.
The skill can operate across multiple categories of Reply.io business data, and the artifacts do not describe containment such as dry-run mode, batch limits, rollback, or approval gates.
Membrane provides pre-built actions with built-in auth, pagination, and error handling... make communication more secure
The skill makes a general security-benefit claim about using Membrane. It may be true, but the artifacts do not substantiate the claim or balance it against the broad proxy and credentialed access.
Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.
Membrane handles authentication and credentials refresh automatically
The skill relies on delegated account access with automatic credential refresh, but the artifacts do not state the exact scopes, duration, revocation process, or boundaries for the Reply.io connection.
Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.
Use `membrane connection ensure` to find or create a connection... The output contains the new connection id.
The skill creates or reuses a persistent connection identifier that can be referenced across future commands. This is expected for an integration, but it is persistent sensitive context.
send requests directly to the Reply.io API through Membrane's proxy... injects the correct authentication headers
The integration uses Membrane as a gateway/proxy for Reply.io API traffic and authentication headers. This is disclosed and purpose-aligned, but it means sensitive traffic is brokered through a third party.