Zenkraft
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill is a coherent Zenkraft integration, but it gives the agent broad authenticated API access, including write and delete requests, without clear confirmation or scope limits.
Install only if you are comfortable granting Membrane-mediated access to Zenkraft. Before allowing the agent to run non-read actions or raw proxy requests, confirm the exact endpoint, method, and expected record changes, and prefer least-privileged credentials.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent chooses the wrong action or endpoint, it could create, change, or delete Zenkraft shipping/logistics records using the user's authenticated connection.
The skill documents a raw authenticated API escape hatch with write and delete methods, but does not describe confirmation, endpoint scoping, or recovery safeguards.
When the available actions don't cover your use case, you can send requests directly to the Zenkraft API through Membrane's proxy... `-X, --method` | HTTP method (GET, POST, PUT, PATCH, DELETE).
Require explicit user confirmation for POST, PUT, PATCH, and DELETE requests; prefer pre-built read-only actions where possible; and document endpoint and permission limits.
The skill can act through the user's connected Membrane/Zenkraft account until the connection or token is revoked.
The integration depends on delegated account credentials and automatic refresh; this is expected for Zenkraft access but is still sensitive authority.
Membrane handles authentication and credentials refresh automatically
Use the least-privileged Zenkraft/Membrane account available and revoke the connection when it is no longer needed.
The installed CLI version may change over time, so behavior depends on the current npm package release.
The setup uses a globally installed npm package pinned to the moving `latest` tag; this is purpose-aligned but not version-locked.
npm install -g @membranehq/cli@latest
Pin a known-good CLI version where possible and install from trusted package sources.
Requests and responses may pass through Membrane while interacting with Zenkraft data.
Zenkraft API traffic and authentication are mediated by Membrane's proxy, which is expected for this skill but creates an external data and credential handling boundary.
send requests directly to the Zenkraft API through Membrane's proxy. Membrane automatically... injects the correct authentication headers
Review Membrane's data handling policies and avoid sending unnecessary sensitive fields through proxy requests.