Migma
ReviewAudited by ClawScan on May 10, 2026.
Overview
Migma’s artifacts match its stated email-marketing purpose, but it can use your Migma API key to send emails, including bulk sends, and change stored audience data.
This looks like a coherent Migma email-marketing CLI skill, not a hidden or deceptive one. Before installing, verify the @migma/cli package is official, protect MIGMA_API_KEY, and configure your agent to ask before bulk sends, contact imports/removals, domain/project changes, or exports to other email platforms.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken instruction or unchecked recipient list could send email to many customers and affect reputation, compliance, or deliverability.
The skill documents sending an email to an entire segment, which is aligned with the email-marketing purpose but is a high-impact action if done with the wrong content or audience.
migma send --segment <id> --subject "Big News" --html ./email.html
Require a final user confirmation before any send to a segment/tag/list, and preview the subject, sender, content, and audience size first.
Using the wrong CSV or contact ID could upload unintended contact data or remove contacts from the Migma account.
The skill can import and remove contacts. This is expected for audience management, but it mutates business/customer data.
migma contacts import ./contacts.csv --json migma contacts remove <id> --json
Confirm file paths, contact IDs, and intended list changes before running imports or removals.
Anyone or any agent process with access to the key may be able to perform permitted Migma actions.
The skill requires a Migma API key to authenticate CLI actions. This is expected for the service but grants delegated authority in the user's Migma account.
requires:
env:
- MIGMA_API_KEY
primaryEnv: MIGMA_API_KEYStore the API key securely, use the least-privileged key available, and rotate it if exposed.
Installing the skill requires trusting the external @migma/cli package and its updates.
The skill installs and relies on an external npm CLI package. That is appropriate for this integration, but the package code is not present in the reviewed artifacts.
node | package: @migma/cli | creates binaries: migma
Verify the package is the official Migma CLI, install from a trusted registry, and consider pinning or reviewing the package version in controlled environments.
Customer email addresses or other contact details may be stored in Migma and reused in future campaigns.
The skill can upload contact lists that may become persistent audience data reused for later sends. This is purpose-aligned but involves customer/contact information.
migma contacts import ./contacts.csv --json
Import only intended contact files, follow consent and retention requirements, and verify segments before using them for sends.