Kit
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: kit Version: 1.0.3 The 'kit' skill is a legitimate API integration for Kit (formerly ConvertKit) using the Maton (api.maton.ai) proxy service for managed OAuth. It provides standard functionality for managing subscribers, tags, and forms, and includes explicit instructions in SKILL.md requiring user approval for write operations. The provided Python and JavaScript code examples are standard for API interactions and do not exhibit any signs of malicious intent, data exfiltration, or unauthorized execution.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any agent using the configured key can access the connected Kit account within the documented scope.
The skill requires a bearer API key and uses managed OAuth to act on the user's Kit account. This is expected for the integration, but it is sensitive account authority.
All requests require the Maton API key in the Authorization header... Maton proxies requests to `api.kit.com` and automatically injects your OAuth token.
Install only if you trust Maton and intend to connect Kit. Keep MATON_API_KEY secret, use the intended Kit connection, and revoke unused connections.
Incorrect write operations could create, modify, or delete subscriber and campaign data, or affect email-marketing workflows.
The skill exposes write-capable API operations against email-marketing resources. The behavior is purpose-aligned and the artifact requires explicit approval for writes, but mistaken approvals could affect real subscribers or campaigns.
Manage subscribers, tags, forms, sequences, broadcasts, custom fields, and webhooks... All write operations require explicit user approval.
Review the exact resource, account connection, and intended change before approving any create, update, delete, broadcast, or webhook action.
Subscriber emails, tags, campaign metadata, and related Kit data may pass through Maton's service during use.
Requests and responses for Kit data pass through the Maton gateway. This is disclosed and central to managed OAuth, but it means subscriber and campaign data are handled by a third-party proxy.
https://api.maton.ai/kit/{native-api-path} ... Maton proxies requests to `api.kit.com`Use this only if Maton is an acceptable data processor for your Kit account data, and avoid requesting or sharing more subscriber data than needed.