Quickmailio
ReviewAudited by ClawScan on May 10, 2026.
Overview
This appears to be a legitimate QuickMail.io integration, but it gives broad authenticated API access, including direct write and delete requests, so users should review actions carefully.
Install only if you are comfortable giving Membrane-mediated access to your QuickMail.io account. Use pre-built actions where possible, and require a clear user instruction before allowing the agent to create, update, delete, or send anything through QuickMail.io.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill could change or delete QuickMail.io business data if it chooses an unsafe endpoint or method.
This exposes a broad authenticated API escape hatch, including write and delete methods, without documented allowlists, confirmation requirements, or rollback guidance.
When the available actions don't cover your use case, you can send requests directly to the QuickMail.io API through Membrane's proxy... `membrane request CONNECTION_ID /path/to/endpoint` ... HTTP method (GET, POST, PUT, PATCH, DELETE).
Prefer Membrane's pre-built actions, use the narrowest possible endpoint, and require explicit user confirmation before any POST, PUT, PATCH, or DELETE request.
Connecting an account gives Membrane-backed commands continuing access to the selected QuickMail.io connection.
The skill depends on delegated Membrane/QuickMail.io account access and persistent credential refresh. This is expected for the integration, but it is privileged access.
Membrane handles authentication and credentials refresh automatically... The user completes authentication in the browser. The output contains the new connection id.
Connect only the intended QuickMail.io account, review granted scopes if shown, and revoke the Membrane connection when it is no longer needed.
Installing or running the CLI executes code from the npm package ecosystem on the local machine.
The skill asks users to install and run an external CLI, including an unpinned `@latest` invocation. This is central to the skill's purpose, but users should understand the dependency.
`npm install -g @membranehq/cli` ... `npx @membranehq/cli@latest action list --intent=QUERY --connectionId=CONNECTION_ID --json`
Install the CLI only from the trusted npm package source, consider pinning a known version, and avoid running it in sensitive environments without review.
QuickMail.io files, notes, activities, or other request contents may pass through Membrane as part of normal operation.
QuickMail.io request data is routed through the Membrane proxy/gateway. This is disclosed and purpose-aligned, but it is an external data path users should be aware of.
you can send requests directly to the QuickMail.io API through Membrane's proxy... Membrane automatically appends the base URL to the path you provide and injects the correct authentication headers
Avoid sending unnecessary sensitive data, and confirm Membrane is an acceptable intermediary for the QuickMail.io data being accessed.