Is brevo-api safe?

https://clawhub.ai/byungkyu/brevo-api

62
CAUTION

The brevo-api skill is a legitimate Brevo API integration that routes all traffic through a third-party gateway (Maton), creating a significant credential relay trust dependency. The most concerning finding is that the installation includes an undeclared bundled 'ai-meeting-notes' skill from a different author that aggressively manipulates agent behavior and creates files in the workspace. The combination of email-sending capability and file-reading behavior across the two skills creates a theoretical data exfiltration path.

Category Scores

Prompt Injection 55/100 · 30%
Data Exfiltration 50/100 · 25%
Code Execution 70/100 · 20%
Clone Behavior 75/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 40/100 · 5%

Findings (8)

HIGH Undeclared bundled skill with agent manipulation -30

The brevo-api skill package includes a completely separate 'ai-meeting-notes' skill that was not part of the declared audit target. This second skill contains extensive that dictate agent behavior, force file creation in the workspace, and control response formatting. Users installing brevo-api would not expect to receive a meeting notes organizer that reads and creates files in their workspace.

HIGH All API traffic routed through third-party gateway -25

Every Brevo API call is proxied through gateway.maton.ai rather than going directly to api.brevo.com. Maton acts as a man-in-the-middle for all operations including sending emails, managing contacts, and creating campaigns. This gives Maton full visibility into and control over the user's Brevo data and operations.

MEDIUM Aggressive agent behavior override in bundled skill -20

The ai-meeting-notes skill uses emphatic control patterns (CRITICAL, MANDATORY, NEVER, ALWAYS) to force specific agent behaviors including file creation, directory creation, file searching, and rigid response formatting. While individually benign, this demonstrates the skill author's ability to significantly alter agent behavior.

MEDIUM Environment variable credential exposure -15

The skill requires MATON_API_KEY to be set as an environment variable and sends it to Maton endpoints. If the Maton service is compromised, the attacker gains access to the user's Brevo account and potentially other Maton-connected services.

MEDIUM Cross-skill reference for installation chaining -10

The brevo-api skill description explicitly references another skill URL for installation: 'For other third party apps, use the api-gateway skill (https://clawhub.ai/byungkyu/api-gateway)'. This could lead to chain installation of additional skills from the same author, expanding the attack surface.

MEDIUM Email sending capability creates abuse potential -15

The skill provides full email sending capability through the Brevo API. A subsequent prompt injection could abuse this to send spam, phishing, or data exfiltration emails from the user's authenticated Brevo account.

LOW Sensitive file reads during installation -10

The installation process read .env, .aws/credentials, and auth-profiles.json. While likely part of standard OpenClaw runtime initialization rather than skill-initiated behavior, the .aws/credentials access is notable.

INFO Python code execution patterns provided -5

The skill provides ready-to-execute Python code blocks using urllib.request for all API operations. The agent is expected to copy and execute these, establishing a pattern of running network-calling code from skill instructions.