ClawHub

Brevo

v1.0.0

Brevo (formerly Sendinblue) email marketing API for managing contacts, lists, sending transactional emails, and campaigns. Use when importing contacts, sending emails, managing subscriptions, or working with email automation.

3· 2.4k·1 current·1 all-time
byyuj es yoga@yujesyoga
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The name/description (Brevo email API) align with the documented endpoints and examples in SKILL.md. The operations (contacts, lists, sending emails) are coherent with the stated purpose.
!
Instruction Scope
The runtime instructions explicitly read a local secret file (BREVO_KEY=$(cat ~/.config/brevo/api_key)) and then include that value in API requests. While reading an API key is expected for this integration, the skill's instructions reference a specific filesystem path that was NOT declared in the skill metadata. There are no other out-of-scope filesystem reads or unexpected network endpoints — all network calls are to api.brevo.com.
Install Mechanism
This is an instruction-only skill with no install spec or code files, so nothing is written to disk by an installer. That minimizes install-time risk.
!
Credentials
The registry metadata lists no required environment variables or primary credential, yet the SKILL.md expects BREVO_KEY (sourced from ~/.config/brevo/api_key) to authenticate requests. The skill implicitly assumes a local secret file or an environment variable, but the lack of declared required credentials is inconsistent and may lead the agent to read a local file unexpectedly.
Persistence & Privilege
The skill is not always-enabled and does not request persistent system-wide changes. It does not declare modifications to other skills or global agent configuration.
What to consider before installing
This skill appears to be a straightforward Brevo API cookbook, but it implicitly expects an API key at ~/.config/brevo/api_key (or a BREVO_KEY env var) even though the registry metadata lists no credentials. Before installing or invoking it: - Confirm how the agent will supply the Brevo API key. Either ensure you place a key at ~/.config/brevo/api_key with appropriate permissions or modify the skill to expect a declared environment variable (and add that to the metadata). - Limit the API key's permissions to only what's necessary (sending emails / managing contacts) and rotate/revoke it if you stop using the skill. - If you don't want the agent to read files automatically, ask the skill author to change the instructions to read the key from a declared env var or to prompt the user at runtime. - Because the skill can be invoked autonomously by the agent (default), ensure the agent's execution policy and access to your home config directory are acceptable. These mismatches look like sloppy metadata rather than malicious intent, but treat the implicit file read as a secret-access risk until resolved.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cy4rk4jt7gh4vbkpwgnykg98046yj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments