Moskit
PassAudited by VirusTotal on Apr 30, 2026.
Overview
Type: OpenClaw Skill Name: moskit-integration Version: 1.0.2 The skill bundle provides a standard integration for Moskit CRM via the Membrane CLI, as detailed in SKILL.md. Although SKILL.md contains a copy-paste error describing Moskit as a session replay tool instead of a CRM, the functional instructions (e.g., membrane connection ensure, membrane action run) are legitimate and aligned with the stated purpose. No evidence of malicious intent, data exfiltration, or harmful prompt injection was found in SKILL.md or _meta.json.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent is asked to make changes, a mistaken endpoint or method could alter or delete Moskit data.
The skill exposes a direct authenticated API proxy with mutating and deleting methods. This is useful for a data-management integration, but it bypasses narrower pre-built action schemas.
When the available actions don't cover your use case, you can send requests directly to the Moskit API through Membrane's proxy... `-X, --method` | HTTP method (GET, POST, PUT, PATCH, DELETE).
Prefer discovered Membrane actions where possible, and require clear user confirmation before POST, PUT, PATCH, DELETE, bulk, or user-management requests.
The agent may be able to access or modify Moskit data permitted by the connected account.
The skill requires authenticated Membrane/Moskit access and uses automatic credential refresh. This is expected for the integration, but it grants delegated account authority.
Membrane handles authentication and credentials refresh automatically... `membrane login --tenant --clientName=<agentType>`
Use an account with the least privileges needed, review the connection being used, and revoke the Membrane connection when it is no longer needed.
The installed CLI version may change over time, and the global install affects the local environment.
The setup uses a globally installed npm CLI pinned to the moving `latest` tag. This is central to the skill's operation, but users inherit normal npm/package-update provenance risk.
npm install -g @membranehq/cli@latest
Install the CLI from the official package source, consider pinning a known version, and avoid running it in sensitive environments without review.
Moskit request details and returned data may flow through Membrane as part of the integration.
Moskit API calls and authentication are mediated by the Membrane gateway. This is disclosed and purpose-aligned, but it is an external data and credential boundary users should recognize.
send requests directly to the Moskit API through Membrane's proxy. Membrane automatically appends the base URL to the path you provide and injects the correct authentication headers
Confirm Membrane is an acceptable intermediary for the Moskit data involved, especially for customer, file, or user-management data.