Pricefy
Security checks across static analysis, malware telemetry, and agentic risk
Overview
Pricefy is a coherent Membrane-based PRICEFY.IO integration, but it exposes broad authenticated API access that can change or delete business data without clearly documented guardrails.
Install only if you trust Membrane as the intermediary for PRICEFY.IO access. Review and approve any write/delete or raw proxy request, use the least-privileged account available, and consider pinning the Membrane CLI version before installing.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked with the wrong endpoint or parameters, the agent could alter or delete pricing/business records in the connected PRICEFY.IO account.
The skill provides an authenticated raw API escape hatch that can perform write and delete operations against PRICEFY.IO, but the visible instructions do not bound which endpoints or mutations are safe.
send requests directly to the PRICEFY.IO API through Membrane's proxy... HTTP method (GET, POST, PUT, PATCH, DELETE)
Require explicit user approval for POST, PUT, PATCH, DELETE, or proxy requests; prefer scoped Membrane actions; and confirm the target connection and payload before execution.
The agent may be able to access or modify PRICEFY.IO data available to the authenticated account.
The skill depends on delegated Membrane/PRICEFY.IO authentication and refresh, which is expected for the integration but gives the tool continuing authority to act through the connected account.
Membrane handles authentication and credentials refresh automatically
Connect only the intended account, use least-privilege access where possible, and revoke the Membrane connection when it is no longer needed.
The behavior of the installed CLI may change over time or differ from what was reviewed here.
The documented setup installs an unpinned latest-version CLI globally from npm. This is central to the Membrane integration, but it means the reviewed artifact does not fully define the code that will run.
npm install -g @membranehq/cli@latest
Install the Membrane CLI only from the expected package source, consider pinning a specific version, and review npm package provenance before use.