Mailgun Simple
PassAudited by ClawScan on May 1, 2026.
Overview
This is a straightforward Mailgun email-sending skill, but it uses your Mailgun API key to send messages from your domain.
This skill appears purpose-aligned and non-deceptive. Before installing, make sure you are comfortable giving the agent access to a Mailgun API key that can send email from your domain, and review email details before use.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked with the wrong recipient or content, the skill could send unintended emails from the configured Mailgun domain.
The skill sends outbound email through Mailgun using supplied recipient and message fields, which is the stated purpose but can affect real recipients and domain reputation.
return mg.messages.create(domain, { from, to: Array.isArray(to) ? to : [to], subject, text, html });Use it only when you want the agent to send a specific email, and review recipient, subject, body, and sender before allowing use.
Anyone or any agent process using this configured skill can potentially send email through the associated Mailgun account.
The skill requires a private Mailgun API key, which is expected for this integration but grants account-level email-sending authority according to the key's permissions.
`MAILGUN_API_KEY` | **Yes** | — | Your private Mailgun API key.
Use a Mailgun key with the narrowest practical permissions, rotate it if exposed, and monitor Mailgun sending activity.
The installed npm packages become part of the skill's execution environment.
The skill depends on external npm packages. The versions are pinned and the dependencies are aligned with the Mailgun email-sending purpose.
npm install mailgun.js@12.7.0 form-data@4.0.1
Install from a trusted registry and keep dependencies updated according to your normal package security practices.