authorizing-api-requests
Facilitates secure authentication for Mailtrap API requests, ensuring proper token management and account identification.
Install this skill
or
41/100
Security score
The authorizing-api-requests skill was audited on Jun 4, 2026 and we found 17 security issues across 4 threat categories, including 1 high-severity. Review the findings below before installing.
Categories Tested
Security Issues
medium line 85
Curl to non-GitHub URL
SourceSKILL.md
| 85 | curl -s https://mailtrap.io/api/accounts \ |
medium line 107
Curl to non-GitHub URL
SourceSKILL.md
| 107 | export MAILTRAP_ACCOUNT_ID=$(curl -s https://mailtrap.io/api/accounts \ |
medium line 117
Curl to non-GitHub URL
SourceSKILL.md
| 117 | curl -X POST https://send.api.mailtrap.io/api/send \ |
medium line 123
Curl to non-GitHub URL
SourceSKILL.md
| 123 | curl "https://mailtrap.io/api/accounts/$MAILTRAP_ACCOUNT_ID/contacts/lists" \ |
medium line 127
Curl to non-GitHub URL
SourceSKILL.md
| 127 | curl -X POST "https://sandbox.api.mailtrap.io/api/send/$MAILTRAP_INBOX_ID" \ |
medium line 53
Access to .env file
SourceSKILL.md
| 53 | - **Local dev:** environment variable, or `.env` file that is in `.gitignore`. Load with `direnv`, `dotenv`, or the framework's built-in mechanism. |
medium line 137
Access to .env file
SourceSKILL.md
| 137 | | Hardcoding the token in code, config, or a notebook | Load from `$MAILTRAP_API_TOKEN` (env, `.env`, CI secret, secret manager); rotate the token if it ever leaked | |
high line 56
Prompting for password/secret input
SourceSKILL.md
| 56 | - **Agent / LLM workflows:** the host agent's secret store. Never paste a token into chat or a prompt. |
low line 32
External URL reference
SourceSKILL.md
| 32 | Create tokens at **Settings** > [API Tokens](https://mailtrap.io/api-tokens) with the **smallest scope** that works: |
low line 36
External URL reference
SourceSKILL.md
| 36 | - **Account-level API** — for Contacts, Templates, Sending Domains, Suppressions, and other endpoints under `https://mailtrap.io/api/accounts/{account_id}/...`. |
low line 80
External URL reference
SourceSKILL.md
| 80 | `account_id` is the integer prefix on every `https://mailtrap.io/api/accounts/{account_id}/...` endpoint. **Do not hardcode it.** It changes between environments, is different per organization, and is |
low line 85
External URL reference
SourceSKILL.md
| 85 | curl -s https://mailtrap.io/api/accounts \ |
low line 107
External URL reference
SourceSKILL.md
| 107 | export MAILTRAP_ACCOUNT_ID=$(curl -s https://mailtrap.io/api/accounts \ |
low line 117
External URL reference
SourceSKILL.md
| 117 | curl -X POST https://send.api.mailtrap.io/api/send \ |
low line 123
External URL reference
SourceSKILL.md
| 123 | curl "https://mailtrap.io/api/accounts/$MAILTRAP_ACCOUNT_ID/contacts/lists" \ |
low line 127
External URL reference
SourceSKILL.md
| 127 | curl -X POST "https://sandbox.api.mailtrap.io/api/send/$MAILTRAP_INBOX_ID" \ |
low line 142
External URL reference
SourceSKILL.md
| 142 | | Hardcoding `account_id` | Resolve via `GET https://mailtrap.io/api/accounts` once per run and pass through `$MAILTRAP_ACCOUNT_ID` | |
Scanned on Jun 4, 2026
View Security Dashboard