ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Mail Blaze

v1.0.0

Mail Blaze integration. Manage data, records, and automate workflows. Use when the user wants to interact with Mail Blaze data.

0· 41·0 current·0 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name/description (Mail Blaze integration) matches the runtime instructions, which instruct using the Membrane CLI to connect, list actions, run actions, and proxy API requests. However, the SKILL.md contains an odd mismatch: it lists "Official docs: https://developers.mailerlite.com/" (MailerLite) which does not match the Mail Blaze name — likely a copy/paste error but worth confirming the intended target and connector. Otherwise requiring the Membrane CLI is proportional to the stated purpose.
Instruction Scope
Instructions are narrowly scoped to installing/using the Membrane CLI, performing an OAuth-like login flow, creating/converting connections, listing actions, running actions, and optionally proxying API calls via Membrane. The instructions do not request reading local files or environment variables, nor do they direct data to unexpected endpoints outside Membrane/Mail Blaze. Headless login flow and guidance are explicit and expected for a CLI-based integration.
Install Mechanism
There is no packaged install spec in the skill bundle; instead the SKILL.md instructs the user to run `npm install -g @membranehq/cli` and uses `npx @membranehq/cli@latest` in examples. Installing a global npm package or dynamically invoking npx pulls code from the public npm registry (moderate risk). This is reasonable for a CLI, but global installs require appropriate privileges and npx/@latest fetches can change over time — consider installing a reviewed, pinned release or running in a constrained environment.
Credentials
The skill declares no required environment variables or credentials and explicitly recommends using Membrane to manage credentials server-side ("never ask the user for API keys"). That is proportional: Membrane is presented as the auth manager and no unrelated secrets are requested by the skill.
Persistence & Privilege
The skill does not request persistent/system-level privileges and is not always-enabled. It is instruction-only and will not write install artifacts itself. Note: the platform-default allows the agent to invoke the skill autonomously (disable-model-invocation is false) — this is normal but you should be aware the agent could call Membrane endpoints automatically unless you restrict it.
What to consider before installing
Before installing/use consider the following: - Confirm the target: the SKILL.md references MailerLite docs while the skill name is Mail Blaze — ask the publisher which service/connector this actually targets. Using the wrong connector could cause failed or unexpected API calls. - Verify the Membrane CLI package and source: the skill asks you to run `npm install -g @membranehq/cli` and uses `npx ...@latest`. Installing global npm packages or fetching latest via npx can introduce supply-chain risk; prefer installing a pinned version or run the CLI in an isolated environment (container/VM) if possible. - Login implications: `membrane login --tenant` opens a browser and performs auth. Review what account/permissions the login grants and which Mail Blaze data the connector will access. Use a limited-scope account if you can. - Data flow: the skill proxies API calls through Membrane. Understand what data will be proxied and whether you trust Membrane to handle and store tokens; read Membrane's privacy/security docs and the CLI package README on npm/GitHub. - Autonomy: the agent may call this skill autonomously (platform default). If you do not want the agent to make external API calls without your confirmation, enable any platform controls to require user approval or disable autonomous invocation for this skill. If any of the above is unclear or the vendor cannot confirm the Mail Blaze vs MailerLite mismatch, treat this skill cautiously (do not install in production accounts) until clarified.

Like a lobster shell, security has layers — review code before you run it.

latestvk978h0rxxvhs754nsbd4cks8xh84d04m

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments