ClawHub
Back to skill
v1.0.4

Acelle Mail

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 7:14 AM.

Analysis

The skill is a disclosed Acelle Mail integration, but it gives the agent broad authority to modify email-marketing data and launch campaigns without clear approval guardrails.

GuidanceReview this skill carefully before installing. It appears to be a legitimate Membrane-based Acelle Mail integration, but only connect accounts you intend the agent to manage, and require explicit approval before it deletes subscribers or lists, changes subscriber data, or runs email campaigns.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityHighConfidenceHighStatusConcern
SKILL.md
| Delete Subscriber | delete-subscriber | Permanently delete a subscriber from the system | ... | Delete List | delete-list | Delete a mail list by its UID | ... | Run Campaign | run-campaign | Launch a campaign to start sending emails |

The skill exposes destructive and outward-facing actions, including permanent deletion and starting bulk email campaigns, but the visible instructions do not require explicit user confirmation or scope checks before using them.

User impactAn agent using this skill could change or delete marketing records or start sending campaign emails if given a broad or ambiguous request.
RecommendationBefore installing or using it, require explicit confirmation for delete, unsubscribe, list-update, and run-campaign actions, and ask the agent to preview affected lists, recipients, and message content first.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
npm install -g @membranehq/cli@latest

The skill asks the user to install the Membrane CLI globally from npm using the latest version. This is central to the skill's purpose, but it depends on trusting that package and its current release.

User impactInstalling a global CLI gives that package local execution capability on the user's machine.
RecommendationInstall the CLI only from the official package source, consider pinning a reviewed version, and keep it updated through trusted channels.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusNote
SKILL.md
Membrane handles authentication and credentials refresh automatically

Credential handling and refresh are expected for an Acelle Mail integration, but they grant delegated account access that users should understand before connecting.

User impactThe skill may keep access to the connected Acelle Mail account through Membrane, allowing future authenticated actions through that connection.
RecommendationConnect only the intended Acelle Mail account, review the granted scopes or permissions, and revoke the Membrane connection when it is no longer needed.