Builderall Mailingboss
ReviewAudited by ClawScan on May 10, 2026.
Overview
This looks like a legitimate Builderall/Membrane integration, but it should be reviewed because it gives the agent broad authenticated API access that can change or delete mailing-list and campaign data.
Install only if you are comfortable giving Membrane-mediated access to your Builderall Mailingboss account. Use a limited account where possible, confirm any create/update/delete or campaign-related action before it runs, and be cautious with raw proxy requests because they can affect real subscriber and marketing data.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken prompt or autonomous tool choice could modify or delete subscribers, campaigns, SMS/email marketing data, or other Builderall Mailingboss records.
This creates a broad authenticated API escape hatch, including mutating and deleting methods, without clear endpoint limits or confirmation requirements in the provided text.
When the available actions don't cover your use case, you can send requests directly to the Builderall Mailingboss API through Membrane's proxy... HTTP method (GET, POST, PUT, PATCH, DELETE).
Require explicit user approval before POST/PUT/PATCH/DELETE requests, prefer discovered scoped actions over raw proxy calls, preview changes, and limit use to the intended connection and endpoints.
The agent may be able to act on the connected Builderall Mailingboss account within the permissions granted to the Membrane connection.
The skill relies on delegated account authentication and credential refresh, which is expected for this integration but gives the agent authenticated access through Membrane.
Membrane handles authentication and credentials refresh automatically — so you can focus on the integration logic rather than auth plumbing.
Use the least-privileged account or connection available, review granted permissions, and revoke the Membrane connection when it is no longer needed.
The behavior depends on the npm package and version available at install time, which may differ from what was reviewed here.
The setup depends on installing the latest version of an external global npm package; this is central to the stated purpose but is unpinned and not part of the reviewed artifact.
npm install -g @membranehq/cli@latest
Install only from the trusted npm package, consider pinning a known-good version, and review the CLI provenance before granting account access.
Subscriber, campaign, and automation data may pass through Membrane as part of normal operation.
Authenticated API requests and returned account data are routed through the Membrane proxy, introducing an external gateway boundary users should understand.
send requests directly to the Builderall Mailingboss API through Membrane's proxy... injects the correct authentication headers
Review Membrane's data handling and logging policies, and avoid sending unnecessary sensitive subscriber data through raw proxy requests.