Convertkit
v1.0.0ConvertKit (Kit) creator marketing — manage subscribers, forms, sequences, broadcasts, tags, and automations via the ConvertKit API. Build email lists, creat...
⭐ 0· 373·0 current·0 all-time
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name, description, commands, and required credential (CONVERTKIT_API_KEY) align with a ConvertKit integration. The CLI implements subscriber, tag, form, sequence, and broadcast operations as claimed.
Instruction Scope
SKILL.md states the skill requires CONVERTKIT_API_KEY and that it never stores data locally; it does not mention that the script will search for CONVERTKIT_API_KEY inside a workspace .env file (default: ~/.openclaw/workspace/.env) or that it will consult a WORKSPACE environment variable. That file-read behavior broadens scope beyond the documented instructions and is not declared in SKILL.md.
Install Mechanism
No install spec; this is an instruction-only skill with a single Python stdlib script. No external downloads or package installs are requested.
Credentials
Only CONVERTKIT_API_KEY is declared and is appropriate for the stated purpose. However, the script also checks an undeclared WORKSPACE env var and reads a .env file under that path (or a default in the user's home). Reading arbitrary workspace .env files can expose other secrets in that file and is not justified or documented in the SKILL.md.
Persistence & Privilege
The skill does not request permanent presence (always:false), does not modify other skills or global settings, and does not write files. It only reads environment or the workspace .env fallback.
What to consider before installing
This skill appears to implement what it claims (ConvertKit API operations) and only needs your ConvertKit API key — however the bundled script will, if the env var is missing, attempt to read a .env file from a workspace path (defaults to ~/.openclaw/workspace/.env) and will honor an undeclared WORKSPACE env var. That means it may read files you didn't expect it to access. Before installing or running: (1) inspect scripts/convertkit.py yourself (or have someone you trust do so); (2) prefer providing CONVERTKIT_API_KEY explicitly in the agent's secret store rather than relying on a workspace .env file; (3) avoid running with a workspace that contains unrelated secrets, or remove/secure other secrets in the .env; (4) consider using a limited-scope API key (rotate it after testing); and (5) if you want the skill to be fully transparent, ask the publisher to document the .env fallback behavior in SKILL.md or remove that fallback. If the author documents or removes the .env/WORKSPACE behavior, this assessment could be upgraded to benign.Like a lobster shell, security has layers — review code before you run it.
Runtime requirements
✉️ Clawdis
EnvCONVERTKIT_API_KEY
Primary envCONVERTKIT_API_KEY
latest
✉️ ConvertKit
ConvertKit (Kit) creator marketing — manage subscribers, forms, sequences, broadcasts, tags, and automations via the ConvertKit API.
Features
- Subscriber management — add, tag, search, and segment
- Form management — list forms and their subscribers
- Email sequences — create and manage drip campaigns
- Broadcasts — create and send one-time emails
- Tag operations — create, apply, remove subscriber tags
- Automation rules — view automation workflows
- Custom fields — manage subscriber custom fields
- Subscriber search — find by email or custom attributes
- Analytics — subscriber growth, form conversions, sequence stats
- Bulk operations — tag/untag multiple subscribers
Requirements
| Variable | Required | Description |
|---|---|---|
CONVERTKIT_API_KEY | ✅ | API key/token for ConvertKit |
Quick Start
# List subscribers
python3 {baseDir}/scripts/convertkit.py subscribers --limit 50 --sort created_at
# Get subscriber details
python3 {baseDir}/scripts/convertkit.py subscriber-get 12345
# Add a subscriber
python3 {baseDir}/scripts/convertkit.py subscriber-add --email "user@example.com" --first-name "Jane"
# Search by email
python3 {baseDir}/scripts/convertkit.py subscriber-search "user@example.com"
Commands
subscribers
List subscribers.
python3 {baseDir}/scripts/convertkit.py subscribers --limit 50 --sort created_at
subscriber-get
Get subscriber details.
python3 {baseDir}/scripts/convertkit.py subscriber-get 12345
subscriber-add
Add a subscriber.
python3 {baseDir}/scripts/convertkit.py subscriber-add --email "user@example.com" --first-name "Jane"
subscriber-search
Search by email.
python3 {baseDir}/scripts/convertkit.py subscriber-search "user@example.com"
tags
List all tags.
python3 {baseDir}/scripts/convertkit.py tags
tag-create
Create a tag.
python3 {baseDir}/scripts/convertkit.py tag-create "VIP Customer"
tag-apply
Tag a subscriber.
python3 {baseDir}/scripts/convertkit.py tag-apply --tag 123 --email user@example.com
tag-remove
Remove tag.
python3 {baseDir}/scripts/convertkit.py tag-remove --tag 123 --email user@example.com
forms
List forms.
python3 {baseDir}/scripts/convertkit.py forms
form-subscribers
List form subscribers.
python3 {baseDir}/scripts/convertkit.py form-subscribers 456
sequences
List sequences.
python3 {baseDir}/scripts/convertkit.py sequences
sequence-subscribers
List sequence subscribers.
python3 {baseDir}/scripts/convertkit.py sequence-subscribers 789
broadcasts
List broadcasts.
python3 {baseDir}/scripts/convertkit.py broadcasts --limit 20
broadcast-create
Create a broadcast.
python3 {baseDir}/scripts/convertkit.py broadcast-create '{"subject":"Weekly Update","content":"<p>Hello!</p>"}'
broadcast-send
Send a broadcast.
python3 {baseDir}/scripts/convertkit.py broadcast-send 12345
Output Format
All commands output JSON by default. Add --human for readable formatted output.
# JSON (default, for programmatic use)
python3 {baseDir}/scripts/convertkit.py subscribers --limit 5
# Human-readable
python3 {baseDir}/scripts/convertkit.py subscribers --limit 5 --human
Script Reference
| Script | Description |
|---|---|
{baseDir}/scripts/convertkit.py | Main CLI — all ConvertKit operations |
Data Policy
This skill never stores data locally. All requests go directly to the ConvertKit API and results are returned to stdout. Your data stays on ConvertKit servers.
Credits
Built by M. Abidi | agxntsix.ai YouTube | GitHub Part of the AgxntSix Skill Suite for OpenClaw agents.
📅 Need help setting up OpenClaw for your business? Book a free consultation
Comments
Loading comments...