Findymail
ReviewAudited by ClawScan on May 10, 2026.
Overview
This appears to be a normal Findymail/Membrane integration, but it gives the agent an open-ended authenticated API proxy, so it should be reviewed before use.
Install only if you trust Membrane and need Findymail automation. Prefer listed actions over raw proxy requests, ask for confirmation before any write, bulk, export, or credit-consuming operation, and consider pinning the Membrane CLI version instead of installing @latest.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could make broad authenticated Findymail API calls, which may access lead/contact data, change account data if the API permits it, or consume paid credits.
This exposes an authenticated raw API escape hatch beyond curated actions, with no stated endpoint allowlist, read-only restriction, mutation safeguard, or user-approval requirement.
When the available actions don't cover your use case, you can send requests directly to the Findymail API through Membrane's proxy. Membrane automatically appends the base URL to the path you provide and injects the correct authentication headers
Use curated actions when possible, and require explicit user confirmation before raw proxy calls, especially for writes, bulk operations, exports, or credit-consuming actions.
Connecting the account grants the agent, through Membrane, the ability to act with the connected Findymail account's permissions.
Delegated authentication is expected for a Findymail integration, but it means the workflow depends on Membrane-managed account access and credential refresh.
This skill uses the Membrane CLI to interact with Findymail. Membrane handles authentication and credentials refresh automatically
Connect only the intended Findymail account, review granted permissions, and revoke the connection when it is no longer needed.
The user may install a newer CLI version than the one reviewed, and a compromised or changed package could affect the local environment.
The setup step installs a global CLI from npm using an unpinned latest version. This is purpose-aligned, but the exact installed code can change over time.
npm install -g @membranehq/cli@latest
Install from the official source, consider pinning a known-good version, and keep the CLI updated through trusted package-management practices.