mailgun sender
ReviewAudited by ClawScan on May 10, 2026.
Overview
This skill is a straightforward Mailgun email sender, but users should understand it can use a Mailgun API key to send real emails through their account.
This looks safe for its stated purpose if you intend to send email through Mailgun. Before installing or using it, make sure the Mailgun API key is protected, the configured domain/from/default recipient are correct, and the agent does not send messages without your explicit review for sensitive or bulk emails.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked with the wrong recipient or content, the user's Mailgun account could send unintended emails.
The script sends email content and recipient details to Mailgun. This is exactly the skill's purpose, but it is a real external action that can affect recipients and account usage.
curl -s -w "\n%{http_code}" --user "api:$MAILGUN_API_KEY" "https://api.mailgun.net/v3/$MAILGUN_DOMAIN/messages" -F from="$FROM" -F to="$TO" -F subject="$SUBJECT" -F text="$BODY"Use this skill only for explicit email-sending tasks and confirm recipient, sender, subject, and body before sending important or bulk messages.
Anyone or any agent process with access to this key may be able to send email through the configured Mailgun account, potentially causing unwanted messages or costs.
The skill requires a private Mailgun API key so it can authenticate and send mail through the user's Mailgun account.
export MAILGUN_API_KEY="key-xxxxx" # Your Mailgun private API key
Use a scoped Mailgun key if available, protect the environment variables, and rotate the key if it may have been exposed.
If the local credentials file is modified by something untrusted, running the script could execute unintended shell commands.
The script sources a local credentials file as shell code if the API key is not already set. This is a common credential-loading pattern, but it executes whatever shell content is in that file.
if [ -z "$MAILGUN_API_KEY" ] && [ -f ~/.config/mailgun/credentials ]; then
source ~/.config/mailgun/credentials
fiKeep ~/.config/mailgun/credentials private and limited to simple environment variable assignments, or prefer setting the documented environment variables directly.