Unione - Email API
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used carelessly, the agent could send unwanted emails or change email-account settings such as templates or suppression handling.
These are high-impact external API actions that can send messages to third parties or alter UniOne account resources. They are clearly aligned with the stated email-API purpose.
- **Send emails** — transactional, marketing, personalized with templates - **Manage templates** — create, update, list, delete email templates - **Manage suppressions** — handle bounces, unsubscribes, complaints
Use a test or least-privilege UniOne API key, confirm recipients and message content before sending, and review any template, suppression, webhook, domain, or project changes before applying them.
Anyone or any agent workflow with access to the key may be able to perform actions allowed by that key in the UniOne account.
The skill needs a UniOne API key to act on the user's UniOne account. This is expected for the integration, but it is account authority.
All requests require the `UNIONE_API_KEY` environment variable. Pass it as the `X-API-KEY` header.
Create a scoped key limited to the needed actions, avoid using a production master key for testing, keep the key out of prompts/logs, and rotate it if exposed.
A misconfigured webhook could send email-event information to the wrong service or endpoint.
Webhook setup can route delivery-event data to an external endpoint. This is purpose-aligned for tracking, but the endpoint choice affects where recipient or delivery metadata is sent.
- **Track delivery** — set up webhooks for real-time event notifications
Use only trusted HTTPS webhook URLs, verify the destination before saving it, and limit webhook events to what is needed.
If the package identity is mistaken, a user could trust the wrong skill with a UniOne API key.
The registry metadata does not provide verified source provenance, while the artifacts self-report an official source. Because this skill uses an API key, users should verify the package identity before installation.
Source: unknown
Verify the ClawHub package, homepage, and repository against UniOne's official documentation before installing or providing credentials.