Is mailerlite safe?

All MailerLite API traffic is routed through gateway.maton.ai, which acts as an OAuth proxy. The user's MATON_API_KEY and all subscriber data pass through this third-party service. While this is the intended design for managed OAuth, it means maton.ai has full visibility into all API operations and data.

The skill description contains a direct reference to another skill: 'For other third party apps, use the api-gateway skill (https://clawhub.ai/byungkyu/api-gateway)'. This could prompt the agent to install or invoke a second skill, expanding the attack surface. While not malicious by itself, it creates a skill-chaining pathway.

The skill documents destructive operations including deleting subscribers, forgetting subscribers (GDPR), deleting campaigns, deleting groups, and scheduling instant campaign delivery. An agent following these instructions without user confirmation could cause data loss or send unintended emails.

The webhook API allows creating webhooks pointing to arbitrary URLs. A manipulated agent could create a webhook to an attacker-controlled endpoint, causing MailerLite to send subscriber event data (creates, updates, etc.) to that endpoint.

Code examples use os.environ['MATON_API_KEY'] directly in HTTP requests. While standard practice, if the agent logs or displays these requests, the API key could be exposed. The troubleshooting section even suggests running 'echo $MATON_API_KEY'.

The skill metadata includes an emoji field (brain emoji). This is cosmetic and not a security concern.

The filesystem monitoring captured reads of .env, .aws/credentials, and various config files during installation. These are attributed to the host platform (openclaw) initialization, not to the skill itself. The skill repository contains no executable install scripts.