Brevo
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is a straightforward Brevo API reference, but it uses a Brevo API key and documents actions that can send emails or change contact lists.
This skill appears coherent for managing Brevo email marketing through documented API examples. Before installing or using it, make sure you are comfortable giving the agent access to a Brevo API key, and require review before any email send, campaign creation, contact deletion, import, or bulk list change. The provided SKILL.md text was truncated in the artifact view, so review the full skill text if available.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone using the key can perform Brevo API actions allowed by that key, including contact and email operations.
The skill instructs use of a local Brevo API key for authenticated account access. This is purpose-aligned, but it gives the agent access to the user's Brevo account authority.
BREVO_KEY=$(cat ~/.config/brevo/api_key) All requests require header: `api-key: $BREVO_KEY`
Use a Brevo key with the minimum needed permissions, keep it out of chat/logs, and rotate it if exposed.
Mistaken use could email customers, create campaigns, change subscriptions, or delete/update contact records.
The documented API operations can mutate contact data and send emails or campaigns. These actions fit the skill purpose, but they are high-impact if run with the wrong recipients, list IDs, or message content.
| Create contact | POST | `/contacts` |
| Update contact | PUT | `/contacts/{email}` |
| Delete contact | DELETE | `/contacts/{email}` |
...
| Send transactional | POST | `/smtp/email` |
| Send campaign | POST | `/emailCampaigns` |Require explicit user confirmation before send, campaign, delete, import, or bulk list operations, and preview recipients and content first.
Contact details and email content may be transmitted to Brevo as part of normal API use.
The skill sends contact email addresses and attributes to the external Brevo API. This is expected for a Brevo integration, but it is still a sensitive data flow.
curl -X POST "https://api.brevo.com/v3/contacts" ... "email": "user@example.com" ... "attributes": { "NOMBRE": "John", "APELLIDOS": "Doe" }Only send contact data that belongs in Brevo, avoid unnecessary sensitive attributes, and follow consent/unsubscribe requirements.