Uk Gov Vehicle Enquiry Api
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a disclosed Membrane-based integration for the UK vehicle enquiry API, but it requires third-party authentication and includes broad authenticated API request capabilities.
Before installing, be comfortable using Membrane as the intermediary for authentication and API requests. Use a least-privileged account or API key where possible, confirm raw or non-GET requests before running them, and consider pinning the Membrane CLI version.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill gives the Membrane connection authority to make authenticated API calls on the user's behalf.
The skill relies on delegated authentication and automatic credential refresh through Membrane, which is sensitive account authority but is disclosed and aligned with the API integration purpose.
Membrane handles authentication and credentials refresh automatically
Authenticate only with the intended Membrane/API account, review any requested scopes or connection details, and revoke the connection when it is no longer needed.
If used carelessly, the agent could make authenticated requests to unintended endpoints or use non-read methods where the connected API supports them.
The raw proxy command can send authenticated requests beyond the discovered action list. This is disclosed as a fallback workflow, but it is broader than a narrowly scoped query action.
membrane request CONNECTION_ID /path/to/endpoint ... HTTP method (GET, POST, PUT, PATCH, DELETE)
Prefer listed actions when available, verify the endpoint and input before running raw proxy requests, and require explicit confirmation for POST, PUT, PATCH, or DELETE requests.
A future CLI version could behave differently from the version reviewed, and a global install runs with the user's local permissions.
The setup uses a globally installed npm CLI package with the moving @latest tag. This is a normal integration dependency, but it is not pinned in the provided artifact.
npm install -g @membranehq/cli@latest
Install from the official npm package source, consider pinning a known CLI version, and avoid running the installation with unnecessary elevated privileges.