ClawHub

Mailgun

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Mailgun API helper, but it can send email and change Mailgun routing, webhook, and credential settings when given access.

Install only if you trust Maton to proxy your Mailgun account and can protect MATON_API_KEY. Before approving writes, verify the exact domain, recipients, route forwarding destination, webhook URL, tracking setting, or credential change; route, webhook, and credential operations deserve extra scrutiny because they can expose mail data or alter account access.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill documents potentially sensitive write operations such as sending email, creating routes, and configuring webhooks, but the nearby examples do not consistently restate privacy, delivery, or forwarding risks. In an agent context, examples strongly shape behavior, so omission of operational warnings can increase the chance of unintended outbound messaging or forwarding of inbound mail to third parties.

External Transmission

Medium
Category
Data Exfiltration
Content
domain = 'example.com'

# Create route
route_response = requests.post(
    'https://api.maton.ai/mailgun/v3/routes',
    headers=headers,
    data={
Confidence
78% confidence
Finding
requests.post( 'https://

External Transmission

Medium
Category
Data Exfiltration
Content
# Create route
route_response = requests.post(
    'https://api.maton.ai/mailgun/v3/routes',
    headers=headers,
    data={
        'priority': 0,
Confidence
79% confidence
Finding
https://api.maton.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
# Create webhook
webhook_response = requests.post(
    f'https://api.maton.ai/mailgun/v3/domains/{domain}/webhooks',
    headers=headers,
    data={
        'id': 'delivered',
Confidence
77% confidence
Finding
https://api.maton.ai/

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal