DoubleTick
v1.0.1Send tracked emails via Gmail and check if they were opened.
⭐ 0· 279·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description (send tracked Gmail messages and check opens) align with the declared dependency (npx) and the install target (npm package doubletick-cli). Requiring a Gmail account and a DoubleTick account is consistent with the functionality.
Instruction Scope
SKILL.md instructs you to run 'npx doubletick-cli login' and to register the CLI as an MCP tool. This stays within the stated purpose (sending tracked email/checking opens) but omits details about where credentials/OAuth tokens are stored and how tracking data is routed/stored. It also relies on executing a third-party CLI (via npx) which may fetch and run code at runtime.
Install Mechanism
Install is an npm package (doubletick-cli) with links to npm and GitHub. Using npm is expected for a JS CLI, but npm packages run arbitrary code and npx can install/execute code on demand — review the package source and maintainers. The install does not use unusual or untrusted URLs.
Credentials
No unexpected environment variables or unrelated credentials are requested. The skill reasonably relies on account logins (Gmail and DoubleTick) rather than exposing access to unrelated services.
Persistence & Privilege
always is false and the skill is user-invocable. The skill permits model invocation (default), which is normal, but because it can send emails and record opens, you should be cautious about allowing autonomous invocations without explicit user consent.
Assessment
This skill appears to be what it claims: a CLI that injects tracking pixels into Gmail messages and reports opens. Before installing, verify the npm package and GitHub repository (review code, maintainers, recent activity, and open issues). Be aware that npx can fetch and execute code on demand — consider installing the package yourself (not using npx every time) or pinning a verified version. Confirm how OAuth tokens/credentials are stored and who receives tracking data (DoubleTick's servers); tracking pixels capture recipient metadata and may have legal/privacy implications. Finally, restrict or disable autonomous agent invocation if you don't want the agent to send emails without explicit approval.Like a lobster shell, security has layers — review code before you run it.
latestvk972gpxkdz8m0ekwd6c3m58gs5825vr2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
✔️ Clawdis
Binsnpx
Install
Node
Bins: doubletick
npm i -g doubletick-cli