mailgo-campaign-suite Security Report — Trusted | ClawSafe

5 /100

mailgo-campaign-suite

Complete cold email campaign suite for Mailgo — verify recipients, claim free mailbox, generate & optimize content, create campaigns, manage lifecycle, and view reports.

Legitimate cold email marketing automation suite for Mailgo/LeadsNavi with no malicious behavior, no credential exfiltration, no sensitive path access, and full capability transparency between SKILL.md and code.

Skill Namemailgo-campaign-suite

Duration52.5s

Enginepi

✓

Safe to install

No action required. The skill is safe to use. Ensure users set MAILGO_API_KEY as a local environment variable only and never paste it into chat.

Findings 2 items

Severity	Finding	Location
Info	SSL context comment clarity The ssl.create_default_context() call includes a comment explaining why cert verification should not be disabled. The comment placement above the context creation is slightly ambiguous but the code is correct — verification IS enabled. No security impact. `_ssl_ctx = ssl.create_default_context() # Do NOT disable certificate verification — MITM attacks would allow token theft` → No action needed. The SSL verification is correctly implemented. The comment serves as a security safeguard against future accidental disabling.	`scripts/run_campaign.py, scripts/verify_emails.py, scripts/campaign_control.py, scripts/campaign_report.py, scripts/claim_free_mailbox.py:48`
Info	openpyxl dependency not pinned openpyxl is listed as an optional dependency but without a version constraint. This is minor since it is only imported when reading .xlsx files and only used for email list import — no network or credential access. `# Optional: openpyxl # for .xlsx file support` → Consider pinning to a specific version (e.g., openpyxl>=3.0.0) for reproducibility, but no security impact since the library is only used for spreadsheet parsing.	`scripts/run_campaign.py, scripts/verify_emails.py:1`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`READ`	`READ`	✓ Aligned	SKILL.md declares Read access for reading email list files and --body-file; scri…
Network	`READ`	`READ`	✓ Aligned	All scripts make HTTPS requests to api.leadsnavi.com; TLS certificate verificati…
Environment	`READ`	`READ`	✓ Aligned	MAILGO_API_KEY read via os.environ.get(); key only sent to legitimate Mailgo API…
Shell	`WRITE`	`WRITE`	✓ Aligned	SKILL.md shows 'source ~/.zshrc' and 'python3 scripts/*.py' execution — necessar…

15 findings

🔗

Medium External URL 外部 URL

https://app.mailgo.ai

README.md:16

🔗

Medium External URL 外部 URL

https://www.leadsnavi.com

README.md:17

🔗

Medium External URL 外部 URL

https://api.leadsnavi.com

README.md:37

🔗

Medium External URL 外部 URL

https://app.mailgo.ai.

SKILL.md:297

🔗

Medium External URL 外部 URL

https://app.leadsnavi.com/billing

scripts/verify_emails.py:219

📧

Info Email 邮箱地址

[email protected]

README.md:75

📧

Info Email 邮箱地址

[email protected]

README.md:82

📧

Info Email 邮箱地址

[email protected]

SKILL.md:157

📧

Info Email 邮箱地址

[email protected]

SKILL.md:157

📧

Info Email 邮箱地址

[email protected]

SKILL.md:157

📧

Info Email 邮箱地址

[email protected]

SKILL.md:297

📧

Info Email 邮箱地址

[email protected]

SKILL.md:309

📧

Info Email 邮箱地址

[email protected]

SKILL.md:555

📧

Info Email 邮箱地址

[email protected]

SKILL.md:722

📧

Info Email 邮箱地址

[email protected]

scripts/run_campaign.py:7

File Tree

9 files · 122.3 KB · 3116 lines

Python 5f · 1770L Markdown 4f · 1346L

├─ ▾ 📁 resources

│ ├─ 📝 industry-templates.md Markdown 297L · 15.1 KB

│ └─ 📝 spam-triggers.md Markdown 136L · 4.4 KB

├─ ▾ 📁 scripts

│ ├─ 🐍 campaign_control.py Python 162L · 5.8 KB

│ ├─ 🐍 campaign_report.py Python 566L · 20.7 KB

│ ├─ 🐍 claim_free_mailbox.py Python 156L · 4.8 KB

│ ├─ 🐍 run_campaign.py Python 498L · 21.5 KB

│ └─ 🐍 verify_emails.py Python 388L · 13.2 KB

├─ 📝 README.md Markdown 113L · 5.3 KB

└─ 📝 SKILL.md Markdown 800L · 31.5 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`openpyxl`	`not pinned`	pip (optional)	No	Optional dependency only loaded when reading .xlsx files. No network or credential access. Version not pinned but no security impact for this use case.

Security Positives

✓ No subprocess, os.system, eval, exec, or base64 execution found in any script

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env, ~/.config, etc.)

✓ No credential exfiltration — MAILGO_API_KEY is used only for authenticated API calls to api.leadsnavi.com

✓ TLS/SSL certificate verification is explicitly enabled via ssl.create_default_context()

✓ API key is read exclusively from os.environ — never from files or hardcoded strings

✓ All script behavior is fully documented in SKILL.md with no hidden functionality

✓ No third-party dependencies — pure Python stdlib only (urllib, json, csv, ssl, html.parser)

✓ HTML content sanitization strips <script>, <style>, <iframe>, event handlers, and base64 images

✓ Scripts write output only to /tmp (email body files) and stdout/stderr — no arbitrary filesystem writes

✓ HTTPBasicAuth/TLS stripping vectors are absent — no urllib URL schemes other than HTTPS

✓ All API endpoints are to a single, well-defined domain: api.leadsnavi.com

✓ API key header (X-API-Key) is sent only to the legitimate Mailgo API, never to third parties

Scan Report

Findings 2 items

File Tree

Dependencies 1 items

Security Positives