sendinblue Security Report — Trusted | ClawSafe

5 /100

sendinblue

Sendinblue marketing automation integration using Membrane CLI for email campaigns, SMS, contacts, and automations

This is a legitimate Sendinblue marketing platform integration skill using the Membrane CLI, with well-documented behavior and server-side credential management. No malicious indicators found.

Skill Namesendinblue

Duration33.1s

Enginepi

✓

Safe to install

Consider pinning the npm package version (e.g., @membranehq/[email protected]) to improve supply chain hygiene, but the skill is safe to use.

Findings 1 items

Severity	Finding	Location
Low	Unpinned npm package version Supply Chain The npm install command uses @membranehq/cli without specifying a version or version range. This could lead to unexpected behavior if the package is updated with breaking changes. `npm install -g @membranehq/cli` → Pin to a specific version: npm install -g @membranehq/[email protected]	`SKILL.md:23`

Resource	Declared	Inferred	Status	Evidence
Network	`READ`	`READ`	✓ Aligned	SKILL.md:26 - membrane request proxies to Sendinblue API
Shell	`WRITE`	`WRITE`	✓ Aligned	SKILL.md:23 - npm install -g @membranehq/cli
Filesystem	`NONE`	`NONE`	—	No file operations performed
Environment	`NONE`	`NONE`	—	Credentials managed server-side by Membrane
credential	`NONE`	`NONE`	—	SKILL.md:95 - 'Let Membrane handle credentials'

2 findings

🔗

Medium External URL 外部 URL

https://getmembrane.com

SKILL.md:7

🔗

Medium External URL 外部 URL

https://developers.sendinblue.com/

SKILL.md:19

File Tree

1 files · 4.6 KB · 136 lines

Markdown 1f · 136L

└─ 📝 SKILL.md Markdown 136L · 4.6 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`@membranehq/cli`	`latest (unpinned)`	npm	No	Package not version-pinned; recommend specifying a version for reproducibility

Security Positives

✓ All shell commands are documented in SKILL.md with clear purpose

✓ Credential handling is explicitly server-side via Membrane - no local credential storage

✓ No sensitive file paths (~/.ssh, ~/.aws, .env) are accessed

✓ No obfuscation techniques (base64, eval, etc.) detected

✓ No direct IP network requests or C2 communication patterns

✓ No credential harvesting or environment variable iteration

✓ API requests go through Membrane's documented proxy mechanism

✓ Browser-based OAuth flow for authentication - no password scraping

✓ Legitimate use case: marketing automation platform integration

Scan Report

Findings 1 items

File Tree

Dependencies 1 items

Security Positives