Klaviyo 1.0.4
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: klaviyo-1-0-4 Version: 1.0.0 The Klaviyo skill bundle provides a standard integration for the Klaviyo API via a managed OAuth gateway (maton.ai). The SKILL.md file contains well-documented Python snippets using standard libraries to interact with the gateway, and there is no evidence of malicious intent, data exfiltration to unauthorized endpoints, or prompt injection attacks.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone using this skill is allowing Maton’s gateway to act on a connected Klaviyo account according to the requests made.
The skill requires a Maton API key and uses managed OAuth to access Klaviyo. This is expected for the integration, but it is delegated account access.
All requests require the Maton API key in the Authorization header: Authorization: Bearer $MATON_API_KEY
Use a trusted Maton account, keep MATON_API_KEY private, and ensure the connected Klaviyo account has only the access needed.
The agent could help read or change customer profiles, lists, campaigns, flows, catalogs, or webhooks if the user asks it to make those API calls.
The skill exposes broad raw API access through a gateway. That is central to the stated purpose, but it can enable sensitive reads and account mutations if used carelessly.
Replace `{native-api-path}` with the actual Klaviyo API endpoint path. The gateway proxies requests to `a.klaviyo.com` and automatically injects your OAuth token.Review requests before write, delete, campaign, webhook, or bulk operations; prefer limited filters and explicit IDs.
A request could affect the wrong Klaviyo workspace or account if multiple connections are active.
When multiple Klaviyo connections exist, omitting the Maton-Connection header may route actions to a default connection rather than the one the user intended.
If omitted, the gateway uses the default (oldest) active connection.
List active connections and set the Maton-Connection header explicitly for any important read or mutation.
Users or agents might copy the sample ID instead of using their own connection ID, causing failed or unintended requests.
The documentation uses a concrete-looking connection_id instead of a placeholder. It is not shown to be a secret, but it could be mistaken for a usable ID.
"connection_id": "21fd90f9-5935-43cd-b6c8-bde9d915ca80"
Replace the sample ID with a placeholder in documentation and always use a connection ID returned for the user’s own account.
Users have less registry-level information to verify the publisher and version before trusting the credentialed gateway.
The skill has limited provenance metadata, and the registry version differs from the packaged _meta.json version shown as 1.0.4. There is no executable install code, so this is a trust/provenance note rather than evidence of malicious behavior.
Source: unknown; Homepage: none; Registry version: 1.0.0
Verify the Maton service and publisher out-of-band before connecting a production Klaviyo account.