Api Void
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill appears to be a normal Membrane-backed ApiVoid integration, but users should notice that it requires installing a CLI, logging in, and can send authenticated API requests.
Before installing, confirm you trust Membrane's CLI and are comfortable connecting your ApiVoid account. Ask the agent to list the exact actions it will use, and require explicit confirmation for any direct proxy request or write/delete operation.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may be able to act through your Membrane-connected ApiVoid account.
The skill relies on Membrane-managed account authentication and credential refresh. This is expected for the integration, but it gives the agent delegated access through the connected account.
Membrane handles authentication and credentials refresh automatically
Only connect accounts you intend the agent to use, and review the actions it plans to run before approving sensitive operations.
If used carelessly, the agent could make authenticated API calls beyond the pre-discovered action list.
The proxy request feature is purpose-aligned as an API fallback, but it is broader than named actions and includes write/delete-capable HTTP methods with injected authentication.
you can send requests directly to the Api Void API through Membrane's proxy... HTTP method (GET, POST, PUT, PATCH, DELETE)
Ask the agent to explain any direct proxy request first, and require confirmation for POST, PUT, PATCH, or DELETE requests.
The installed CLI version may change over time and will run with the permissions of the installing user.
The documented setup installs a global npm CLI using a moving latest version. This is a common integration setup, but it is not pinned in the artifact and is not represented by a formal install spec.
npm install -g @membranehq/cli@latest
Install the Membrane CLI from the official npm package, consider pinning a known version, and keep it updated through trusted channels.
A connection workflow may provide additional instructions to the agent during setup.
The skill describes remote connection state output that may include agent instructions. This is integration plumbing, but remote instructions should not override the user's request or safety boundaries.
clientAction.agentInstructions (optional) — instructions for the AI agent on how to proceed programmatically
Treat returned agent instructions as task-specific guidance only, and do not allow them to override user approval or safety requirements.
The skill may describe broader capabilities than the specific ApiVoid actions you expect.
The skill uses broad, generic wording about managing data and workflows, while the listed popular actions are mostly reputation and lookup actions. This looks like generic integration text rather than deception, but users should verify the actual action list.
Api Void integration. Manage data, records, and automate workflows... Popular actions... Check URL Reputation... DNS Lookup... Verify Email
Have the agent list available actions for the specific connection before running them, and confirm that they match your intended ApiVoid use case.