Kit
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a legitimate Kit email-marketing API integration, but it can access and change subscriber and campaign data through Maton, so write actions should be approved carefully.
Before installing, make sure you trust Maton with your Kit account access and subscriber data. Keep MATON_API_KEY private, specify the intended Kit connection when multiple accounts exist, and only approve write, delete, broadcast, or webhook actions after checking the exact target and effect.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any agent using the configured key can access the connected Kit account within the documented scope.
The skill requires a bearer API key and uses managed OAuth to act on the user's Kit account. This is expected for the integration, but it is sensitive account authority.
All requests require the Maton API key in the Authorization header... Maton proxies requests to `api.kit.com` and automatically injects your OAuth token.
Install only if you trust Maton and intend to connect Kit. Keep MATON_API_KEY secret, use the intended Kit connection, and revoke unused connections.
Incorrect write operations could create, modify, or delete subscriber and campaign data, or affect email-marketing workflows.
The skill exposes write-capable API operations against email-marketing resources. The behavior is purpose-aligned and the artifact requires explicit approval for writes, but mistaken approvals could affect real subscribers or campaigns.
Manage subscribers, tags, forms, sequences, broadcasts, custom fields, and webhooks... All write operations require explicit user approval.
Review the exact resource, account connection, and intended change before approving any create, update, delete, broadcast, or webhook action.
Subscriber emails, tags, campaign metadata, and related Kit data may pass through Maton's service during use.
Requests and responses for Kit data pass through the Maton gateway. This is disclosed and central to managed OAuth, but it means subscriber and campaign data are handled by a third-party proxy.
https://api.maton.ai/kit/{native-api-path} ... Maton proxies requests to `api.kit.com`Use this only if Maton is an acceptable data processor for your Kit account data, and avoid requesting or sharing more subscriber data than needed.