Clearbit

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Clearbit integration skill, but users should be careful because it can send lead or customer data through Membrane to Clearbit.

Install only if you trust Membrane and intend to connect a Clearbit account. Prefer the listed Membrane actions over raw proxy requests, avoid sending data you are not allowed to share with Clearbit or Membrane, and require explicit confirmation before any non-GET proxy request or request that could change account data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The manifest and top-level description scope the skill as managing Persons and Organizations, but the documentation enables a wider set of capabilities including prospecting, bulk enrichment, and arbitrary proxy access to the Clearbit API. This mismatch can cause an agent or reviewer to underestimate what the skill can do, increasing the risk of unintended data access or transmission.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The proxy request section encourages direct API calls through Membrane but does not warn that arbitrary requests may send personal, customer, or prospect data to a third-party service over the network. In a data-enrichment context, this omission is significant because users may transmit sensitive identifiers or business data without explicit awareness or consent checks.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal