Moskit
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a coherent Moskit/Membrane integration, but it can use authenticated access to read or change Moskit account data, so users should review actions before running them.
Install only if you trust Membrane and are comfortable connecting a Moskit account. Use least-privilege credentials, prefer pre-built actions, and explicitly approve any request that creates, updates, deletes, uploads, or changes users or other important CRM data.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent is asked to make changes, a mistaken endpoint or method could alter or delete Moskit data.
The skill exposes a direct authenticated API proxy with mutating and deleting methods. This is useful for a data-management integration, but it bypasses narrower pre-built action schemas.
When the available actions don't cover your use case, you can send requests directly to the Moskit API through Membrane's proxy... `-X, --method` | HTTP method (GET, POST, PUT, PATCH, DELETE).
Prefer discovered Membrane actions where possible, and require clear user confirmation before POST, PUT, PATCH, DELETE, bulk, or user-management requests.
The agent may be able to access or modify Moskit data permitted by the connected account.
The skill requires authenticated Membrane/Moskit access and uses automatic credential refresh. This is expected for the integration, but it grants delegated account authority.
Membrane handles authentication and credentials refresh automatically... `membrane login --tenant --clientName=<agentType>`
Use an account with the least privileges needed, review the connection being used, and revoke the Membrane connection when it is no longer needed.
The installed CLI version may change over time, and the global install affects the local environment.
The setup uses a globally installed npm CLI pinned to the moving `latest` tag. This is central to the skill's operation, but users inherit normal npm/package-update provenance risk.
npm install -g @membranehq/cli@latest
Install the CLI from the official package source, consider pinning a known version, and avoid running it in sensitive environments without review.
Moskit request details and returned data may flow through Membrane as part of the integration.
Moskit API calls and authentication are mediated by the Membrane gateway. This is disclosed and purpose-aligned, but it is an external data and credential boundary users should recognize.
send requests directly to the Moskit API through Membrane's proxy. Membrane automatically appends the base URL to the path you provide and injects the correct authentication headers
Confirm Membrane is an acceptable intermediary for the Moskit data involved, especially for customer, file, or user-management data.