ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Mailify

v1.0.2

Mailify integration. Manage Persons, Organizations, Deals, Leads, Activities, Notes and more. Use when the user wants to interact with Mailify data.

0· 106·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The skill claims to integrate with Mailify and all runtime instructions are about discovering and running Mailify actions via the Membrane CLI and proxy. This aligns with the stated purpose. Minor bookkeeping mismatch: registry metadata lists no required binaries, yet the instructions explicitly require installing the @membranehq/cli (npm) or using npx.
Instruction Scope
SKILL.md stays on-topic: it instructs installing/running the Membrane CLI, logging in, creating/using a Mailify connection, running actions, and proxying raw API requests. It does not direct reading of unrelated files or environment variables. Important note: many commands will send data through Membrane's servers (proxy and action calls), so runtime data will be transmitted to that service.
Install Mechanism
There is no formal install spec in the registry entry; the instructions ask the user/agent to install a global npm package (@membranehq/cli) or use npx. Installing a global npm package is a normal but higher-trust operation than an instruction-only skill that requires no installs — verify the package and its source before installing.
Credentials
The skill declares no required env vars or credentials and instead relies on interactive Membrane login and a Membrane account. That is proportionate for a connector that uses delegated auth. The SKILL.md explicitly warns against asking users for API keys, which is appropriate. Users should be aware that authentication and proxied requests are handled server-side by Membrane (i.e., credentials and request payloads transit Membrane's systems).
Persistence & Privilege
The skill does not request 'always: true' or special platform-wide privileges. It relies on the Membrane CLI and the user's Membrane account/session. Be mindful that if you allow autonomous agent invocation, the agent could run the CLI to act on Mailify via Membrane without further prompts — this is the platform default, not a property unique to this skill.
Assessment
This skill appears to be what it says: a Mailify integration that uses Membrane as a proxy. Before installing or letting an agent run these commands, verify you trust the Membrane service and the @membranehq/cli npm package (check the npm page, publisher identity, and repository). Understand that data and credentials are handled by Membrane servers (not kept locally) and that installing a global npm package will add executable code to your environment. If you have sensitive data or strict compliance requirements, review Membrane's privacy/security docs or avoid installing this in that environment. Finally, if you permit autonomous agent actions, be aware the agent could use the CLI to interact with Mailify without additional consent.

Like a lobster shell, security has layers — review code before you run it.

latestvk970y8ppk7j1jb851q7g110nax84257t

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments