Mailchimp mcp
ReviewAudited by ClawScan on May 5, 2026.
Overview
The artifacts show a coherent Mailchimp connector, but it needs Mailchimp OAuth credentials and can affect customer-visible marketing content, so users should review confirmations and provider trust.
Install this only if you expect Maverick/OpenClaw to access your Mailchimp account. Verify the runtime provider, keep OAuth credentials scoped and revocable, avoid sending unrelated sensitive data through the tools, require clear confirmation before sends or deletes, and consider pinning the mcporter package version.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the user approves a write action, the agent could change or send customer-visible marketing content.
The skill can perform high-impact Mailchimp mutations, but it explicitly requires user confirmation and read-before-write behavior.
Write operations that create, update, publish, send, schedule, delete, or modify campaigns, automations, audiences, members, segments, tags, and customer-visible marketing content require explicit user confirmation.
Confirm the exact audience, campaign, member, or automation before approving any write, send, schedule, publish, or delete action.
Installing and using the skill gives the runtime delegated access to the connected Mailchimp account.
The helper seeds Mailchimp OAuth access and refresh tokens into a persistent local mcporter credential vault.
mcp_vault="${HOME}/.mcporter/credentials.json" ... tokens: {access_token: env.mcp_access, refresh_token: env.mcp_refresh, token_type: "Bearer"}Use scoped, revocable Mailchimp OAuth credentials; revoke or rotate them if the integration is no longer needed.
A future mcporter release would be installed automatically unless the operator pins a version.
The dependency is central to the stated purpose and the risk is disclosed, but installing npm latest leaves version provenance to install time.
The install spec uses unpinned `mcporter` (npm `latest`); operators with strict supply-chain controls should override the install to pin a specific version
Pin mcporter to a reviewed version in controlled environments.
Mailchimp business and customer-related marketing data may be visible to the configured runtime tool provider.
The skill discloses that Mailchimp data flows through the active runtime tool provider, while the provider-owned MCP endpoint is not included in the repository artifacts.
Runtime tool calls, if present in the active OpenClaw environment, use Maverick-provisioned OAuth credentials and expose Mailchimp audience, campaign, report, automation, and member data to the active tool provider.
Use this only with a trusted Maverick/OpenClaw runtime provider and avoid passing unrelated sensitive content through Mailchimp tools.