Laposta
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent Laposta/Membrane integration, but review it because it can use delegated credentials to run actions that permanently change or delete mailing-list data without documented confirmation safeguards.
Install only if you trust Membrane and need an agent to manage Laposta data. Before using it, verify the CLI package, connect the correct account, and require explicit confirmation before any update or permanent delete action.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or overbroad agent action could permanently delete subscribers or mailing lists in the user's Laposta account.
The skill exposes permanent deletion actions and generic run instructions, but the artifact does not require explicit user confirmation, target verification, or rollback guidance before destructive operations.
Use action names and parameters as needed. ... | Delete Member | delete-member | Permanently delete a member/subscriber from a list | ... | Delete List | delete-list | Delete a mailing list permanently | ... membrane action run <actionId> --connectionId=CONNECTION_ID --json
Require explicit user confirmation for create/update/delete actions, especially permanent deletes; include the exact action, connection, list/member identifiers, and expected impact before running them.
Authenticating this skill may allow actions against the connected Laposta account until the connection or token is revoked.
The integration relies on delegated authentication and credential refresh for Membrane/Laposta access. This is expected for the stated purpose, but it gives the tool account-level authority.
Membrane handles authentication and credentials refresh automatically ... "connect" — user needs to authenticate (OAuth, API key, etc.).
Authenticate only the intended account, review the granted permissions, and revoke the Membrane/Laposta connection when it is no longer needed.
The installed CLI version may differ from what was reviewed and could affect the user's local environment.
The skill instructs installation of the latest global Membrane CLI from npm. This is purpose-aligned, but unpinned global installs can change over time and run with the user's local privileges.
npm install -g @membranehq/cli@latest
Pin and verify the CLI version where possible, install it in a controlled environment, and use trusted package sources.
Subscriber and mailing-list information may be returned to the agent and processed through the integration flow.
Laposta operations and subscriber data are handled through the Membrane CLI/account flow. This is disclosed and purpose-aligned, but subscriber/member data can be sensitive.
This skill uses the Membrane CLI to interact with Laposta. Membrane handles authentication and credentials refresh automatically ... | List All Members | list-all-members | Get all members/subscribers of a mailing list |
Use the skill only for data the user intends to access, avoid broad member exports unless needed, and confirm how Membrane handles connected-account data.