Mailgun
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: mailgun-api Version: 1.0.1 The skill provides a standard integration for the Mailgun API via a third-party gateway (api.maton.ai). It requires a MATON_API_KEY and includes well-documented Python and JavaScript examples for managing domains, sending emails, and handling webhooks. No evidence of malicious intent, data exfiltration, or harmful prompt injection was found; the code logic is consistent with the stated purpose of proxying Mailgun requests.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If approved, the agent could send emails or change Mailgun resources such as domains, routes, templates, lists, suppressions, or webhooks.
The skill exposes write-capable Mailgun operations that can affect external recipients and account configuration, which is expected for the stated purpose but high-impact.
Send transactional emails, manage domains, routes, templates, mailing lists, suppressions, and webhooks.
Approve write operations only after checking the exact domain, recipient list, message content, and intended account change.
Anyone or any agent flow with the Maton API key may be able to make Mailgun requests through the connected account.
The skill requires a sensitive API key and managed OAuth access to operate on a Mailgun account.
All requests require the Maton API key in the Authorization header: Authorization: Bearer $MATON_API_KEY
Store the Maton API key securely, connect only the intended Mailgun account, and revoke or rotate access if no longer needed.
Email content, recipient metadata, and Mailgun account requests may be processed through Maton and the US Mailgun endpoint.
Mailgun API requests, including email-related data, pass through the Maton gateway before reaching Mailgun.
Maton proxies requests to `api.mailgun.net/v3` (US region) and automatically injects your OAuth token.
Use this skill only if you trust Maton as the OAuth/API gateway and are comfortable with the documented US-region routing.