Mailboxvalidator
Analysis
The skill is a plausible MailboxValidator integration, but it gives the agent broad authenticated Membrane access, unpinned CLI installation instructions, and remote agent instructions without clear safeguards.
Findings (8)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.
`clientAction.agentInstructions` (optional) — instructions for the AI agent on how to proceed programmatically.
The skill treats remotely returned connection content as instructions for the agent, which can let external data steer programmatic behavior if not treated as untrusted.
`membrane request CONNECTION_ID /path/to/endpoint` ... `--method` | HTTP method (GET, POST, PUT, PATCH, DELETE).
The skill exposes broad authenticated proxy requests with arbitrary paths, methods, headers, and bodies, without explicit approval or endpoint limits.
npm install -g @membranehq/cli@latest
The skill tells users to globally install an unpinned npm package using the latest tag, which can change over time and is not captured by the registry install spec.
Install the Membrane CLI so you can run `membrane` from the terminal
The integration depends on installing and running an external command-line tool. That is purpose-aligned, but it is still local code execution.
To pass JSON parameters: `membrane action run <actionId> --connectionId=CONNECTION_ID --input '{"key": "value"}' --json`The skill can run discovered actions with arbitrary JSON input against an authenticated connection, but does not describe containment, dry-run behavior, or rollback.
description: | MailboxValidator integration. Manage Users, Organizations. ... MailboxValidator is an email verification service that checks if an email address is valid and deliverable.
The description mentions managing users and organizations, while the body describes email validation and credits, creating ambiguity about the intended scope of authority.
Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.
Membrane handles authentication and credentials refresh automatically ... `membrane login --tenant --clientName=<agentType>`
The skill requires delegated Membrane tenant authentication and automatic credential refresh, but the artifacts do not define credential scope, duration, or permission limits.
Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.
Membrane's proxy ... injects the correct authentication headers — including transparent credential refresh if they expire.
Requests and credentials are mediated through Membrane as a gateway/proxy, which is purpose-aligned but important for users to understand.