Create and send email marketing campaigns via Selzy API. Manage contacts, segments, templates. Schedule campaigns, run A/B tests, and analyze performance (op...
Security Analysis
medium confidenceThe skill's requests and runtime instructions are internally consistent with an email-marketing integration: it only needs a Selzy API key and its SKILL.md confines actions to Selzy API calls and explicit user confirmation, but the package has no clear source/homepage and recommends adding the key to a global config which reduces confidence.
The name/description (Selzy email campaigns, contacts, templates, stats) align with the declared requirement (SELZY_API_KEY) and the instructions only reference Selzy API endpoints. Minor transparency issue: metadata lists source/homepage as unknown/none and README states the skill is "already installed globally," which is plausible but reduces provenance confidence.
SKILL.md and README confine runtime actions to Selzy's REST API (getLists, createEmailMessage, createCampaign, etc.), emphasize safety checks (always call getLists, verify list_id/contact count, explicit user confirmation) and rate limiting. The instructions do not ask the agent to read unrelated files, other environment variables, or send data to third-party endpoints outside Selzy. One caveat: the docs assert the skill "does not expose API key in logs" — that is a behavioral claim the platform/runtime must enforce; the instruction file itself cannot guarantee log handling.
No install spec and no code files beyond documentation (instruction-only). This is the lowest-risk install model: nothing is downloaded or executed by the skill itself.
Only a single env var (SELZY_API_KEY) is required, which is appropriate for a REST API integration. Note: README suggests adding the API key to a global OpenClaw config (~/.openclaw/openclaw.json), which would expose the key to any other skill/process with access to that config — consider storing keys with least privilege or using per-skill scoped secrets if supported.
always is false and the skill is user-invocable; the skill can be invoked autonomously (platform default), which is expected for skills. Because the skill can create/send campaigns, ensure the agent is configured to require explicit confirmation before sends (the SKILL.md mandates this). There's no request to change other skills' configs or system-wide settings.
Guidance
This skill appears to do what it claims and only asks for a Selzy API key, but exercise normal caution before installing an instruction-only skill from an unknown source. Before use: (1) Prefer creating a restricted/test Selzy API key (if Selzy supports scopes/limits) and test against a small test list rather than real customers. (2) Do not allow autonomous, unconfirmed sends — require the agent to ask for explicit confirmation before createCampaign/sendCampaign. (3) If possible, avoid placing the API key in a global config file accessible to all skills; store it in a per-skill or least-privilege secret store and rotate the key after testing. (4) Verify the skill's provenance if you need higher assurance (author, homepage, or repo). (5) Follow the skill's safety checklist (call getLists, verify list_id and count) to avoid accidental single-recipient sends or account rate-limit/bans.
Latest Release
v0.1.0
Selzy API Skill v0.1.0 - Provides complete integration with Selzy's email marketing API: manage contacts, lists, campaigns, and analyze results. - Emphasizes critical workflow change: campaigns require explicit list_id verification to avoid accidental single-recipient sends. - Documents real-world account ban risk: strict new rate limit of 1 campaign creation per hour after a recent incident. - Includes safety checklist, best practices, and updated reference for all endpoints and limits. - Requires SELZY_API_KEY for all API access.
Popular Skills
Published by @selzy-openclaw on ClawHub
