mailgo-campaign-suite 安全扫描报告 — 可信 | ClawSafe

5 /100

mailgo-campaign-suite

Complete cold email campaign suite for Mailgo — verify recipients, claim free mailbox, generate & optimize content, create campaigns, manage lifecycle, and view reports.

Legitimate cold email marketing automation suite for Mailgo/LeadsNavi with no malicious behavior, no credential exfiltration, no sensitive path access, and full capability transparency between SKILL.md and code.

技能名称mailgo-campaign-suite

分析耗时52.5s

引擎pi

✓

可以安装

No action required. The skill is safe to use. Ensure users set MAILGO_API_KEY as a local environment variable only and never paste it into chat.

安全发现 2 项

严重性	安全发现	位置
提示	SSL context comment clarity The ssl.create_default_context() call includes a comment explaining why cert verification should not be disabled. The comment placement above the context creation is slightly ambiguous but the code is correct — verification IS enabled. No security impact. `_ssl_ctx = ssl.create_default_context() # Do NOT disable certificate verification — MITM attacks would allow token theft` → No action needed. The SSL verification is correctly implemented. The comment serves as a security safeguard against future accidental disabling.	`scripts/run_campaign.py, scripts/verify_emails.py, scripts/campaign_control.py, scripts/campaign_report.py, scripts/claim_free_mailbox.py:48`
提示	openpyxl dependency not pinned openpyxl is listed as an optional dependency but without a version constraint. This is minor since it is only imported when reading .xlsx files and only used for email list import — no network or credential access. `# Optional: openpyxl # for .xlsx file support` → Consider pinning to a specific version (e.g., openpyxl>=3.0.0) for reproducibility, but no security impact since the library is only used for spreadsheet parsing.	`scripts/run_campaign.py, scripts/verify_emails.py:1`

资源类型	声明权限	推断权限	状态	证据
文件系统	`READ`	`READ`	✓ 一致	SKILL.md declares Read access for reading email list files and --body-file; scri…
网络访问	`READ`	`READ`	✓ 一致	All scripts make HTTPS requests to api.leadsnavi.com; TLS certificate verificati…
环境变量	`READ`	`READ`	✓ 一致	MAILGO_API_KEY read via os.environ.get(); key only sent to legitimate Mailgo API…
命令执行	`WRITE`	`WRITE`	✓ 一致	SKILL.md shows 'source ~/.zshrc' and 'python3 scripts/*.py' execution — necessar…

15 项发现

🔗

中危外部 URL 外部 URL

https://app.mailgo.ai

README.md:16

🔗

中危外部 URL 外部 URL

https://www.leadsnavi.com

README.md:17

🔗

中危外部 URL 外部 URL

https://api.leadsnavi.com

README.md:37

🔗

中危外部 URL 外部 URL

https://app.mailgo.ai.

SKILL.md:297

🔗

中危外部 URL 外部 URL

https://app.leadsnavi.com/billing

scripts/verify_emails.py:219

📧

提示邮箱邮箱地址

[email protected]

README.md:75

📧

提示邮箱邮箱地址

[email protected]

README.md:82

📧

提示邮箱邮箱地址

[email protected]

SKILL.md:157

📧

提示邮箱邮箱地址

[email protected]

SKILL.md:157

📧

提示邮箱邮箱地址

[email protected]

SKILL.md:157

📧

提示邮箱邮箱地址

[email protected]

SKILL.md:297

📧

提示邮箱邮箱地址

[email protected]

SKILL.md:309

📧

提示邮箱邮箱地址

[email protected]

SKILL.md:555

📧

提示邮箱邮箱地址

[email protected]

SKILL.md:722

📧

提示邮箱邮箱地址

[email protected]

scripts/run_campaign.py:7

目录结构

9 文件 · 122.3 KB · 3116 行

Python 5f · 1770L Markdown 4f · 1346L

├─ ▾ 📁 resources

│ ├─ 📝 industry-templates.md Markdown 297L · 15.1 KB

│ └─ 📝 spam-triggers.md Markdown 136L · 4.4 KB

├─ ▾ 📁 scripts

│ ├─ 🐍 campaign_control.py Python 162L · 5.8 KB

│ ├─ 🐍 campaign_report.py Python 566L · 20.7 KB

│ ├─ 🐍 claim_free_mailbox.py Python 156L · 4.8 KB

│ ├─ 🐍 run_campaign.py Python 498L · 21.5 KB

│ └─ 🐍 verify_emails.py Python 388L · 13.2 KB

├─ 📝 README.md Markdown 113L · 5.3 KB

└─ 📝 SKILL.md Markdown 800L · 31.5 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`openpyxl`	`not pinned`	pip (optional)	否	Optional dependency only loaded when reading .xlsx files. No network or credential access. Version not pinned but no security impact for this use case.

安全亮点

✓ No subprocess, os.system, eval, exec, or base64 execution found in any script

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env, ~/.config, etc.)

✓ No credential exfiltration — MAILGO_API_KEY is used only for authenticated API calls to api.leadsnavi.com

✓ TLS/SSL certificate verification is explicitly enabled via ssl.create_default_context()

✓ API key is read exclusively from os.environ — never from files or hardcoded strings

✓ All script behavior is fully documented in SKILL.md with no hidden functionality

✓ No third-party dependencies — pure Python stdlib only (urllib, json, csv, ssl, html.parser)

✓ HTML content sanitization strips <script>, <style>, <iframe>, event handlers, and base64 images

✓ Scripts write output only to /tmp (email body files) and stdout/stderr — no arbitrary filesystem writes

✓ HTTPBasicAuth/TLS stripping vectors are absent — no urllib URL schemes other than HTTPS

✓ All API endpoints are to a single, well-defined domain: api.leadsnavi.com

✓ API key header (X-API-Key) is sent only to the legitimate Mailgo API, never to third parties