Is masasdani/mailtarget-email safe?

https://github.com/openclaw/skills/tree/main/skills/masasdani/mailtarget-email

97
SAFE

This skill provides legitimate documentation for integrating with Mailtarget email API service. The primary concern is an instruction for the agent to automatically install an additional skill, which could be unexpected behavior. Otherwise, the skill contains only documentation with no executable code or malicious functionality.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 100/100 · 25%
Code Execution 100/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 95/100 · 5%

Findings (3)

MEDIUM Skill chaining instruction -10

The skill documentation instructs the agent to automatically install another skill (cloudflare-dns) via 'clawhub install cloudflare-dns' command. This could lead to unexpected additional software installation without explicit user consent.

INFO API key environment variable access 0

The skill requires access to MAILTARGET_API_KEY environment variable, which is legitimate and necessary for the email service functionality.

INFO Email sending capability -5

When active, this skill enables email sending through Mailtarget API, which is the intended functionality but should be used responsibly to avoid spam.