Findymail
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: findymail Version: 1.0.4 The skill bundle provides instructions for an AI agent to integrate with Findymail via the Membrane CLI. It outlines standard procedures for installing the `@membranehq/cli` npm package, authenticating via OAuth, and managing API connections. The instructions are consistent with the stated purpose of lead generation and do not contain evidence of malicious intent, data exfiltration, or unauthorized execution. While it grants the agent the ability to perform network requests through a proxy, this is a documented feature of the Membrane platform used for the integration.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could make broad authenticated Findymail API calls, which may access lead/contact data, change account data if the API permits it, or consume paid credits.
This exposes an authenticated raw API escape hatch beyond curated actions, with no stated endpoint allowlist, read-only restriction, mutation safeguard, or user-approval requirement.
When the available actions don't cover your use case, you can send requests directly to the Findymail API through Membrane's proxy. Membrane automatically appends the base URL to the path you provide and injects the correct authentication headers
Use curated actions when possible, and require explicit user confirmation before raw proxy calls, especially for writes, bulk operations, exports, or credit-consuming actions.
Connecting the account grants the agent, through Membrane, the ability to act with the connected Findymail account's permissions.
Delegated authentication is expected for a Findymail integration, but it means the workflow depends on Membrane-managed account access and credential refresh.
This skill uses the Membrane CLI to interact with Findymail. Membrane handles authentication and credentials refresh automatically
Connect only the intended Findymail account, review granted permissions, and revoke the connection when it is no longer needed.
The user may install a newer CLI version than the one reviewed, and a compromised or changed package could affect the local environment.
The setup step installs a global CLI from npm using an unpinned latest version. This is purpose-aligned, but the exact installed code can change over time.
npm install -g @membranehq/cli@latest
Install from the official source, consider pinning a known-good version, and keep the CLI updated through trusted package-management practices.