Klaviyo
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The artifacts describe a coherent Klaviyo API connector, but it should only be used if you trust Maton and intend to grant access to Klaviyo customer and marketing data.
Before installing, make sure you trust Maton with access to your Klaviyo account and customer data. Keep MATON_API_KEY secret, specify the intended connection when multiple Klaviyo accounts exist, and require clear confirmation before any create, update, delete, webhook, campaign, or customer-data change.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
63/63 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If approved, the agent could change or delete Klaviyo marketing/customer resources.
This shows the skill can perform create, update, and delete actions in Klaviyo, but it also documents an approval requirement before those high-impact actions.
All write operations require explicit user approval. Before executing any create, update, or delete call, confirm the target resource and intended effect with the user.
Approve write actions only after checking the exact resource, account/connection, and intended effect.
Anyone or any agent using this key may be able to access the connected Klaviyo data and permitted API operations.
The skill requires a Maton API key that grants delegated access to the connected Klaviyo account.
All requests require the Maton API key in the Authorization header: Authorization: Bearer $MATON_API_KEY
Store MATON_API_KEY securely, use the least-privileged account available, and rotate or revoke access if it is exposed.
Klaviyo customer and marketing data may pass through Maton's service as part of normal use.
Klaviyo requests and responses are routed through a third-party gateway that also manages OAuth token injection.
Maton proxies requests to `a.klaviyo.com` and automatically injects your OAuth token.
Use this only if you trust Maton's service and account controls; review Maton's privacy/security terms for handling of Klaviyo data.