Digiteal
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This Digiteal skill is mostly coherent, but it gives the agent broad authenticated access to run arbitrary Digiteal API requests, including modifying or deleting legally important documents, without clear approval guardrails.
Install only if you trust Membrane and want an agent to operate your Digiteal account. Before allowing edits, sends, signatures, deletions, or raw API proxy requests, ask the agent to show the exact action, endpoint, parameters, and expected effect, and confirm high-impact changes explicitly.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill could alter, send, or delete important Digiteal records if it chooses the wrong endpoint or acts on an ambiguous request.
This gives the agent an authenticated raw API escape hatch, including destructive or mutating methods, for a platform handling legally binding documents. The artifact does not state clear confirmation, scoping, or rollback requirements before high-impact actions.
When the available actions don't cover your use case, you can send requests directly to the Digiteal API through Membrane's proxy... Flag ... HTTP method (GET, POST, PUT, PATCH, DELETE).
Only allow direct proxy requests for clearly specified user requests, require explicit confirmation before POST/PUT/PATCH/DELETE actions, and prefer safer prebuilt actions whenever possible.
The skill can act through the connected Digiteal account according to the permissions granted during authentication.
Authenticated Digiteal access is expected for this integration, but it gives the skill delegated account access and ongoing credential refresh.
Membrane handles authentication and credentials refresh automatically... The user completes authentication in the browser.
Use a least-privilege Digiteal/Membrane account where possible and review what permissions are granted during the connection flow.
The installed CLI version may change over time, so behavior may differ from what was reviewed in this artifact.
The CLI install is purpose-aligned, but it uses a global npm install with the moving @latest version rather than a pinned version.
npm install -g @membranehq/cli@latest
Install from a trusted source, consider pinning a known Membrane CLI version, and keep the CLI updated through normal trusted package-management practices.
Digiteal document data and API operations may be mediated through Membrane as part of the integration.
The skill routes authenticated Digiteal API calls through Membrane's proxy. This is disclosed and purpose-aligned, but it is an important data-flow boundary for sensitive documents and account actions.
send requests directly to the Digiteal API through Membrane's proxy. Membrane automatically appends the base URL... and injects the correct authentication headers
Review Membrane and Digiteal trust, privacy, and access controls before using the skill with sensitive contracts, invoices, or signed documents.