Builderall Mailingboss
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: builderall-mailingboss Version: 1.0.4 The skill bundle provides standard instructions for an AI agent to interact with the Builderall Mailingboss API via the Membrane CLI. It covers authentication, connection management, and action execution (SKILL.md). The logic is entirely functional and aligned with the stated purpose of email marketing automation, with no evidence of malicious intent, data exfiltration, or unauthorized access.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken prompt or autonomous tool choice could modify or delete subscribers, campaigns, SMS/email marketing data, or other Builderall Mailingboss records.
This creates a broad authenticated API escape hatch, including mutating and deleting methods, without clear endpoint limits or confirmation requirements in the provided text.
When the available actions don't cover your use case, you can send requests directly to the Builderall Mailingboss API through Membrane's proxy... HTTP method (GET, POST, PUT, PATCH, DELETE).
Require explicit user approval before POST/PUT/PATCH/DELETE requests, prefer discovered scoped actions over raw proxy calls, preview changes, and limit use to the intended connection and endpoints.
The agent may be able to act on the connected Builderall Mailingboss account within the permissions granted to the Membrane connection.
The skill relies on delegated account authentication and credential refresh, which is expected for this integration but gives the agent authenticated access through Membrane.
Membrane handles authentication and credentials refresh automatically — so you can focus on the integration logic rather than auth plumbing.
Use the least-privileged account or connection available, review granted permissions, and revoke the Membrane connection when it is no longer needed.
The behavior depends on the npm package and version available at install time, which may differ from what was reviewed here.
The setup depends on installing the latest version of an external global npm package; this is central to the stated purpose but is unpinned and not part of the reviewed artifact.
npm install -g @membranehq/cli@latest
Install only from the trusted npm package, consider pinning a known-good version, and review the CLI provenance before granting account access.
Subscriber, campaign, and automation data may pass through Membrane as part of normal operation.
Authenticated API requests and returned account data are routed through the Membrane proxy, introducing an external gateway boundary users should understand.
send requests directly to the Builderall Mailingboss API through Membrane's proxy... injects the correct authentication headers
Review Membrane's data handling and logging policies, and avoid sending unnecessary sensitive subscriber data through raw proxy requests.