Mailjet
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: mailjet Version: 1.0.2 The skill instructs the AI agent to perform high-privilege operations, including the global installation of an NPM package (@membranehq/cli) and the execution of shell commands for authentication and network requests. While these capabilities are plausibly needed for the stated purpose of integrating Mailjet via the Membrane platform, the reliance on shell execution and a generic API proxy command (`membrane request`) constitutes a risky attack surface within the SKILL.md instructions.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill could make broad changes to the connected Mailjet account, including deleting data or performing unsupported API operations, if it misinterprets the user's request.
The skill documents a raw authenticated proxy to the Mailjet API, including mutating and destructive HTTP methods, without clear limits or confirmation requirements.
membrane request CONNECTION_ID /path/to/endpoint ... HTTP method (GET, POST, PUT, PATCH, DELETE) ... injects the correct authentication headers
Only use raw proxy requests for specific user-approved tasks, and require explicit confirmation before DELETE, bulk update, or email-sending operations.
Connecting the skill gives Membrane-mediated access to the user's Mailjet account for future actions.
The integration relies on delegated Membrane/Mailjet account access and ongoing credential refresh. This is expected, but it is sensitive authority.
Membrane handles authentication and credentials refresh automatically ... The user completes authentication in the browser.
Connect only the intended Mailjet account and review/revoke the Membrane connection if it is no longer needed.
Installing a global CLI adds external code to the user's environment.
The skill asks for a global npm CLI installation. This is disclosed and central to the integration, but the package version is not pinned in the instructions.
npm install -g @membranehq/cli
Verify the package source and consider installing a pinned version in a controlled environment.