ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Mailtarget Email

v1.2.0

Send transactional and marketing emails via Mailtarget API. Manage sending domains, templates, API keys, and sub-accounts. Use when the agent needs to send e...

2· 559·0 current·0 all-time
byMasas Dani@masasdani
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The name/description and SKILL.md consistently describe Mailtarget email and domain management functionality, which is coherent. However the package metadata declares no required environment variables or primary credential while the SKILL.md explicitly requires MAILTARGET_API_KEY (and, for autonomous domain setup, Cloudflare credentials). The metadata omission is an incoherence that matters for permissioning and automated audits.
Instruction Scope
The runtime instructions stay within the advertised scope (sending emails, managing templates, creating/verifying sending domains). They provide curl examples and a clear domain-setup flow. They also enable an autonomous end-to-end DNS workflow (via an optional cloudflare-dns companion) that will read DNS values from Mailtarget and create/modify DNS records in Cloudflare. The instructions do not instruct reading unrelated local files, but they do grant the agent broad discretion to 'handle the rest' (build HTML, send campaigns), which is functionally expected but operationally broad.
Install Mechanism
This is an instruction-only skill with no install spec and no code files — lowest install risk (nothing is written or executed on disk by the skill itself).
!
Credentials
Metadata lists no environment variables, but SKILL.md requires MAILTARGET_API_KEY. For autonomous domain setup it also instructs storing CLOUDFLARE_API_TOKEN and CLOUDFLARE_ZONE_ID. A Cloudflare token with DNS Write permission is high privilege. The skill should have declared these required credentials (primaryEnv), and users should be warned to use least-privilege tokens and to scope the token to specific zones where possible.
Persistence & Privilege
always:false and autonomous model invocation enabled (default) — normal. However, combined with the domain-setup flow that can modify DNS when cloudflare credentials are provided, the agent can perform impactful changes autonomously. Consider restricting autonomous invocation or requiring explicit user approval for DNS changes.
What to consider before installing
This skill appears to do what it says (send/manage Mailtarget emails) but the published metadata does not list the environment variables the SKILL.md requires. Before installing: 1) Plan to set MAILTARGET_API_KEY in a secure gateway/environment variable (the skill uses Authorization: Bearer $MAILTARGET_API_KEY). 2) If you enable autonomous domain setup, only provide a Cloudflare API token scoped with the minimum DNS write permissions and, if possible, restricted to the specific zone(s) the skill needs (CLOUDFLARE_API_TOKEN and CLOUDFLARE_ZONE_ID). 3) Consider keeping autonomous invocation off or require manual approval for DNS changes and bulk sends. 4) Test with a non-production/test domain and test Mailtarget key to verify behavior. 5) Rotate keys and revoke tokens you provided to the agent if you stop using the skill. The main risk is undisclosed credential requirements and the ability to modify DNS; those are legitimate for this skill but must be provisioned carefully.

Like a lobster shell, security has layers — review code before you run it.

latestvk97anbqz68kh8z9qwb7kf7yezx81p7yz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments