ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

mailgo-coldmail-marketing

v1.1.1

Complete cold email campaign suite for Mailgo — verify recipients, claim free mailbox, generate & optimize content, create campaigns, manage lifecycle, and v...

0· 64·0 current·0 all-time
byAlina@cailumin
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code, README, and SKILL.md implement the claimed cold-email pipeline (verify recipients, claim pre-warmed mailbox, create/activate/pause/delete campaigns, and reporting) and call only Mailgo/LeadsNavi endpoints (api.leadsnavi.com). That functionality is coherent with the skill name/description. However the registry metadata lists no required environment variables or primary credential while the SKILL.md and all scripts require a MAILGO_API_KEY — an inconsistency in declared requirements and actual capabilities. The skill's Source/Homepage are also absent; the README claims 'LeadsNavi' as publisher but registry provenance is unclear.
Instruction Scope
Runtime instructions focus on Mailgo usage: set MAILGO_API_KEY as a local env var, provide campaign/recipient details, and optionally file paths for recipient lists. The scripts read local files (CSV/XLSX/TXT/JSON) and call Mailgo APIs. There are no instructions to read unrelated system credentials or to transmit data to endpoints other than the Mailgo API. The SKILL.md enforces collecting all campaign info in one interaction (scope limitation) and explicitly warns not to paste the token into chat.
Install Mechanism
No install spec is provided (instruction-only install); code files are bundled in the skill and use only Python stdlib (openpyxl optional). No remote downloads or non-standard installers are present — this is low install risk.
!
Credentials
The scripts require MAILGO_API_KEY (an account-level OpenAPI key able to claim mailboxes, create/activate/pause/delete campaigns, and read reports). That credential is appropriately used by the code, but the registry metadata does not declare it (required env vars: none / primary credential: none), which is a significant mismatch. The requested secret is broad and grants full control over the user's Mailgo account; users should only supply it if they trust the publisher and understand the account-level risk.
Persistence & Privilege
The skill is not always-enabled and does not request any special persistent platform privileges. Model invocation is allowed (default), which is expected for skills. The skill does not modify other skills or system-wide settings.
What to consider before installing
Key points before installing/using this skill: - The skill requires a MAILGO_API_KEY that gives full control of your Mailgo account (claim mailboxes, create/send/manage campaigns, read reports). Only set this as a local environment variable and never paste it into chat. If you have doubts, create a token with minimal scope or test account and be prepared to revoke it. - Registry metadata does NOT list the MAILGO_API_KEY requirement even though SKILL.md and the bundled scripts require it. This mismatch is a red flag in provenance/packaging — verify the publisher and source before trusting the skill. - The skill will read recipient files you supply (CSV/XLSX/TXT/JSON). Only provide files you intend to process and avoid uploading/exposing sensitive personal data you don't want transmitted to the Mailgo API. Prefer dry-run/testing with a small, non-sensitive dataset first. - Network calls in the code go to api.leadsnavi.com (Mailgo/LeadsNavi). If you need higher assurance, inspect the full bundled code (you have it here) and run scripts locally rather than granting an agent automatic execution. - Confirm compliance: sending cold emails may be subject to laws (CAN-SPAM, GDPR) and platform terms. Use the built-in optimizer and opt-out handling, and ensure you have lawful bases for contacting recipients. - Because the skill comes from an unknown/undocumented registry source/homepage, prefer extra caution: validate the publisher (LeadsNavi) independently, test with a throwaway Mailgo token/account, and revoke tokens you used for evaluation.

Like a lobster shell, security has layers — review code before you run it.

latestvk973946qxekr17nf3b3m1d2ahs84c987

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments