ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Mandrill

v1.0.0

Mandrill integration. Manage data, records, and automate workflows. Use when the user wants to interact with Mandrill data.

0· 20·0 current·0 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to integrate with Mandrill via the Membrane platform, which is coherent. However the registry metadata lists no required binaries while the runtime instructions require installing and running the Membrane CLI (membrane). Also the SKILL.md's 'Official docs' link points to MailerLite transactional-email docs (not Mandrill), suggesting sloppy copy/paste or metadata errors.
Instruction Scope
Instructions are limited to using the Membrane CLI to discover connectors, create a connection, list/run actions, and proxy requests to Mandrill. That scope matches the stated purpose. However the proxy capability lets the agent craft arbitrary proxied requests through Membrane (broad network reach) — expected for this integration but something to be aware of.
Install Mechanism
There is no declared install spec in the registry, but SKILL.md instructs the user/agent to run 'npm install -g @membranehq/cli' (global npm install). Installing a global npm package is a moderate-risk action because it downloads and executes third-party code; the package is from the npm registry (traceable), not an arbitrary URL, but the registry entry did not declare this requirement.
Credentials
The skill declares no required environment variables or credentials and explicitly instructs to create a connection so Membrane handles authentication server-side. That is proportionate to a connector-style integration.
Persistence & Privilege
The skill does not request always:true and has no install-time scripts or persistent privileges declared. It relies on an external CLI, but does not ask to modify other skills or system-wide agent settings.
What to consider before installing
This skill appears to be a Membrane-based Mandrill connector, but there are a few red flags to consider before installing: (1) SKILL.md requires installing the Membrane CLI ('membrane') via a global npm install, yet the registry metadata declares no required binaries — verify you are willing to install that package and trust @membranehq/cli. (2) The SKILL.md contains an incorrect 'Official docs' link (points to MailerLite), which suggests the file may have been copied or not fully reviewed — confirm the connector targets the correct Mandrill service. (3) The CLI's proxy feature can send arbitrary proxied requests through Membrane; that's expected for an integration but gives broad network capability. Recommended steps: verify the publisher and package on npm, confirm the Membrane homepage and repository are legitimate, prefer using a scoped/local npm install or review the CLI code before global installation, and avoid pasting secrets into free-text prompts — use Membrane's managed connection flow as instructed. If you need higher assurance, ask the publisher for a signed package URL or inspect @membranehq/cli source before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fvzabm788ckzr9va3ync915846hnx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments