Jobvite
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a real Jobvite integration, but it can give the agent broad authenticated access to Jobvite through Membrane, including operations that could change or delete hiring records.
Before installing, make sure you are comfortable using Membrane as a gateway to your Jobvite account. Use least-privilege access, prefer prebuilt read/scoped actions, and require the agent to ask before changing, deleting, or bulk-processing recruiting records.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or overbroad request could change or delete Jobvite recruiting data such as candidate, application, or job records.
This gives the agent a raw authenticated API escape hatch, including methods that can modify or delete Jobvite data, rather than only using scoped prebuilt actions.
When the available actions don't cover your use case, you can send requests directly to the Jobvite API through Membrane's proxy... HTTP method (GET, POST, PUT, PATCH, DELETE).
Prefer scoped Membrane actions where possible, and require explicit user confirmation plus endpoint/body review before any POST, PUT, PATCH, DELETE, or bulk operation.
The agent may be able to act through the connected Jobvite account within whatever permissions the user grants.
The skill relies on delegated Membrane and Jobvite authentication with credential refresh; this is expected for the integration but grants account-level access.
Membrane handles authentication and credentials refresh automatically... The user completes authentication in the browser. The output contains the new connection id.
Connect with the least-privileged Jobvite account or scope available, and revoke the Membrane connection when it is no longer needed.
Installing a global latest-version CLI means future package changes affect what code runs on the user's machine.
The skill asks for a global install of the latest external CLI package. This is central to the integration and user-directed, but unpinned global installs depend on the current npm package integrity.
npm install -g @membranehq/cli@latest
Install the CLI only from the trusted npm package, consider pinning a reviewed version, and keep it updated through normal trusted channels.
Candidate, application, or job data may be processed through Membrane while using the integration.
Jobvite requests and responses can pass through Membrane as a third-party gateway. This is disclosed and purpose-aligned, but users should understand that sensitive recruiting data may transit that service.
you can send requests directly to the Jobvite API through Membrane's proxy. Membrane automatically... injects the correct authentication headers
Review Membrane's security and privacy terms, and avoid sending unnecessary sensitive data through proxy requests.