ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Mailtarget Email

Send transactional and marketing emails via Mailtarget API. Manage sending domains, templates, API keys, and sub-accounts. Use when the agent needs to send e...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
2 · 395 · 0 current installs · 0 all-time installs
byMasas Dani@masasdani
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The name/description and SKILL.md consistently describe Mailtarget email and domain management functionality, which is coherent. However the package metadata declares no required environment variables or primary credential while the SKILL.md explicitly requires MAILTARGET_API_KEY (and, for autonomous domain setup, Cloudflare credentials). The metadata omission is an incoherence that matters for permissioning and automated audits.
Instruction Scope
The runtime instructions stay within the advertised scope (sending emails, managing templates, creating/verifying sending domains). They provide curl examples and a clear domain-setup flow. They also enable an autonomous end-to-end DNS workflow (via an optional cloudflare-dns companion) that will read DNS values from Mailtarget and create/modify DNS records in Cloudflare. The instructions do not instruct reading unrelated local files, but they do grant the agent broad discretion to 'handle the rest' (build HTML, send campaigns), which is functionally expected but operationally broad.
Install Mechanism
This is an instruction-only skill with no install spec and no code files — lowest install risk (nothing is written or executed on disk by the skill itself).
!
Credentials
Metadata lists no environment variables, but SKILL.md requires MAILTARGET_API_KEY. For autonomous domain setup it also instructs storing CLOUDFLARE_API_TOKEN and CLOUDFLARE_ZONE_ID. A Cloudflare token with DNS Write permission is high privilege. The skill should have declared these required credentials (primaryEnv), and users should be warned to use least-privilege tokens and to scope the token to specific zones where possible.
Persistence & Privilege
always:false and autonomous model invocation enabled (default) — normal. However, combined with the domain-setup flow that can modify DNS when cloudflare credentials are provided, the agent can perform impactful changes autonomously. Consider restricting autonomous invocation or requiring explicit user approval for DNS changes.
What to consider before installing
This skill appears to do what it says (send/manage Mailtarget emails) but the published metadata does not list the environment variables the SKILL.md requires. Before installing: 1) Plan to set MAILTARGET_API_KEY in a secure gateway/environment variable (the skill uses Authorization: Bearer $MAILTARGET_API_KEY). 2) If you enable autonomous domain setup, only provide a Cloudflare API token scoped with the minimum DNS write permissions and, if possible, restricted to the specific zone(s) the skill needs (CLOUDFLARE_API_TOKEN and CLOUDFLARE_ZONE_ID). 3) Consider keeping autonomous invocation off or require manual approval for DNS changes and bulk sends. 4) Test with a non-production/test domain and test Mailtarget key to verify behavior. 5) Rotate keys and revoke tokens you provided to the agent if you stop using the skill. The main risk is undisclosed credential requirements and the ability to modify DNS; those are legitimate for this skill but must be provisioned carefully.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.2.0
Download zip
latestvk97anbqz68kh8z9qwb7kf7yezx81p7yz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Mailtarget Email

Send emails and manage email infrastructure via the Mailtarget API.

Setup

Set the MAILTARGET_API_KEY environment variable with your Mailtarget API key.

Get your API key from the Mailtarget dashboard → Settings → API Keys.

Sending Email

Use curl or any HTTP client. All requests go to https://transmission.mailtarget.co/v1 with Authorization: Bearer $MAILTARGET_API_KEY.

Simple send

curl -X POST https://transmission.mailtarget.co/v1/layang/transmissions \
  -H "Authorization: Bearer $MAILTARGET_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "to": [{"email": "recipient@example.com", "name": "Recipient"}],
    "from": {"email": "noreply@yourdomain.com", "name": "Your App"},
    "subject": "Hello from Mailtarget",
    "bodyHtml": "<h1>Hello!</h1><p>This is a test email.</p>",
    "bodyText": "Hello! This is a test email."
  }'

A successful response returns {"message": "Transmission received", "transmissionId": "..."}.

Template-based send

Use templateId with substitutionData instead of bodyHtml/bodyText:

{
  "to": [{"email": "user@example.com", "name": "User"}],
  "from": {"email": "noreply@yourdomain.com", "name": "Your App"},
  "subject": "Welcome, {{name}}!",
  "templateId": "welcome-template",
  "substitutionData": {"name": "User", "company": "Acme"}
}

Tracking options

Control click and open tracking per transmission:

{
  "optionsAttributes": {
    "clickTracking": true,
    "openTracking": true,
    "transactional": true
  }
}

Set transactional: true for transactional emails (password resets, receipts) to bypass unsubscribe preferences.

Attachments

Include base64-encoded attachments:

{
  "attachments": [{
    "filename": "report.pdf",
    "mimeType": "application/pdf",
    "value": "<base64-encoded-content>"
  }]
}

Managing Templates

  • List: GET /template?page=1&size=10&search=keyword
  • Create: POST /template with {"id": "slug", "name": "Display Name", "html": "<html>..."}

Managing Sending Domains

  • List: GET /domain/sending
  • Create: POST /domain/sending with {"domain": "example.com"}
  • Verify: PUT /domain/sending/{id}/verify-txt
  • Check SPF: GET /domain/sending/{id}/spf-suggestion

Autonomous Domain Setup (with cloudflare-dns skill)

When paired with the cloudflare-dns skill, the agent can set up a sending domain end-to-end with zero manual DNS editing:

  1. Create sending domain: POST /domain/sending with {"domain": "example.com"}
  2. Read required DNS records from the response: spfHostname, spfValue, dkimHostname, dkimValue, cnameHostname, cnameValue
  3. Add SPF TXT record in Cloudflare using spfHostname and spfValue
  4. Add DKIM TXT record in Cloudflare using dkimHostname and dkimValue
  5. Add CNAME record in Cloudflare using cnameHostname and cnameValue (set proxied: false)
  6. Verify domain: PUT /domain/sending/{id}/verify-txt
  7. Confirm status via GET /domain/sending/{id} — check spfVerified, dkimVerified, cnameVerified

Install the companion skill: clawhub install cloudflare-dns

Getting Started

New to Mailtarget + OpenClaw? See references/getting-started.md for a 5-minute setup guide.

Full API Reference

See references/api.md for complete endpoint documentation including API key management, sub-accounts, and permissions.

Files

4 total
Select a file
Select a file to preview.

Comments

Loading comments…