Formspree
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: formspree Version: 1.0.4 The skill bundle provides instructions for integrating with Formspree using the Membrane CLI. It guides the agent through installing the CLI, authenticating via a managed service, and performing API actions. No malicious code, data exfiltration, or harmful prompt injections were found; the behavior is consistent with its stated purpose of form management.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
You are trusting the current npm-published Membrane CLI package to handle the integration.
The skill asks the user to install a globally available CLI from npm using the moving 'latest' tag. This is purpose-aligned for a Membrane-based integration, but it means the installed code is not pinned in the artifact.
npm install -g @membranehq/cli@latest
Install only from the official package source, consider pinning a known version, and review the package provenance if your environment is sensitive.
The agent can use the connected Formspree account through Membrane for actions the connection permits.
The skill relies on Membrane to authenticate and refresh credentials for Formspree access. This is expected for the stated integration, but it grants delegated account authority.
Membrane handles authentication and credentials refresh automatically
Connect only the intended Formspree account, review any scopes or permissions during authentication, and revoke the connection when it is no longer needed.
If used carelessly, direct API requests could change or delete Formspree resources depending on the connected account permissions.
The documented proxy fallback can make authenticated direct API requests, including mutating methods. This is disclosed and aligned with managing Formspree, but it is broader than a fixed set of safe actions.
When the available actions don't cover your use case, you can send requests directly to the Formspree API through Membrane's proxy... `-X, --method` | HTTP method (GET, POST, PUT, PATCH, DELETE).
Prefer specific Membrane actions when available, and ask for explicit user confirmation before POST, PUT, PATCH, or DELETE requests.
Formspree API requests and responses may pass through Membrane as part of the integration workflow.
Formspree requests are routed through the Membrane proxy, which mediates authentication. This gateway flow is disclosed and purpose-aligned, but users should understand that Membrane is part of the data path.
you can send requests directly to the Formspree API through Membrane's proxy. Membrane automatically appends the base URL to the path you provide and injects the correct authentication headers
Use this only if you are comfortable with Membrane acting as the integration gateway for the connected Formspree account.