Crm Snail Mail Postgrid
Security checks across malware telemetry and agentic risk
Overview
The CRM-to-PostGrid mailing workflow is coherent, but the included PostGrid utility exposes much broader account actions than sending mail, including raw API calls and financial/admin-style endpoints.
Review this skill before installing. Use dry-run first, provide least-privilege API keys, avoid using a PostGrid key with bank account, cheque, campaign, webhook, or admin permissions, and inspect/delete temporary CRM contact exports after use.
VirusTotal
64/64 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent or user could use the bundled utility to perform broad PostGrid account actions, not just send physical mail, increasing the chance of accidental or unauthorized account changes.
This explicitly exposes a raw API escape hatch rather than limiting the tool to the stated letter/postcard mailing workflow.
Purpose: Full PostGrid API utility with broad endpoint catalog and `call-raw` fallback for any documented endpoint.
Limit the skill to the specific PostGrid letter/postcard endpoints needed for mailing, or require explicit user confirmation and scoped API keys before allowing raw or administrative API calls.
A PostGrid API key provided for mailing could potentially be used by this skill for unrelated account or financial operations if the key has those permissions.
The included PostGrid API catalog covers privileged and financial-style resources that exceed the stated need to send letters or postcards.
"bank_accounts.create": Endpoint("bank_accounts.create", "POST", "/bank_accounts", "bank_accounts", "Create bank account"), ... "cheques.create": Endpoint("cheques.create", "POST", "/cheques", "cheques", "Create cheque")Use a least-privilege PostGrid API key restricted to mail creation where possible, and remove or separately gate bank account, cheque, campaign, webhook, and admin endpoints.
Installing users should understand that the skill can access CRM contact records and submit mail jobs through their PostGrid account when credentials are provided.
The skill needs delegated access to CRM and PostGrid accounts. This is purpose-aligned, but the provided registry metadata says there are no required env vars or primary credential.
- `GHL_API_KEY`: GHL API key/token. - `FUB_API_KEY`: Follow Up Boss API key. - `POSTGRID_API_KEY`: PostGrid API key.
Declare the required credentials in metadata and use separate, least-privilege keys for GHL/FUB and PostGrid.
Contact names, addresses, phone numbers, emails, tags, and raw CRM fields may be written to local JSON files and used to create PostGrid payloads.
The skill handles and exports CRM contact PII, including raw original contact data, as part of the mailing workflow.
Normalized contact shape: - `email` - `phone` - `address1` - `address2` - `city` - `state` - `postal_code` - `country` - `tags` - `raw`
Review generated contact files and dry-run payloads before sending, avoid storing unnecessary raw CRM fields, and delete temporary files when no longer needed.