ClawHub

Klaviyo 1.0.4

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Klaviyo API helper that can affect real marketing and customer data, but its capabilities fit its stated purpose and there is no hidden executable behavior.

Install only if you trust Maton to broker OAuth access to your Klaviyo account. Use a least-privilege Klaviyo connection where possible, specify the intended Maton connection when multiple accounts exist, and require explicit human review before deletes, campaign sends, webhook changes, bulk imports, or subscription/suppression changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill documents destructive delete operations against live Klaviyo resources and connection objects without any cautionary guidance, confirmation requirements, or discussion of irreversible effects. In an agentic setting, this increases the chance that a user request is translated into destructive actions on production marketing assets or OAuth connections without adequate human awareness.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill includes operations for sending campaigns and changing subscription/suppression state, all of which can directly affect customers, consent status, and privacy obligations, yet it provides no warning about regulatory or business impact. In an autonomous tool context, this can lead to accidental bulk messaging, unlawful subscription changes, or reputational harm if an agent executes these actions too readily.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal