DoubleTick
Security checks across static analysis, malware telemetry, and agentic risk
Overview
DoubleTick is coherent for its stated purpose, but it asks you to trust an npm-based MCP tool with Gmail sending access and recipient open-tracking data.
Install this only if you want an agent-connected tool that can send Gmail messages with tracking pixels. Review OAuth/login permissions, inspect the npm/GitHub package if possible, and confirm each email's recipient and content before sending.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this tool could send tracked emails on your behalf, so mistakes could disclose information or contact people unintentionally.
The skill exposes a tool that can send external email from the user's account. This is the core purpose, but it is a high-impact action if invoked with the wrong recipient or content.
- **send_tracked_email** — Send an email with read tracking.
Use only when you intend to send a tracked email, and review recipient, subject, and body before allowing the send.
The tool may operate using your Gmail and DoubleTick identity, including sending messages through Gmail.
The integration needs account access for Gmail sending and DoubleTick tracking. This is expected for the feature, but it gives the tool delegated authority tied to user accounts.
- A Gmail account - A [DoubleTick](https://doubletickr.com) account
Check the OAuth/login prompts and scopes carefully, and consider using a dedicated account if you do not want this tied to your main Gmail account.
You are trusting the published npm package to handle account login, Gmail sending, and tracking behavior safely.
The MCP server is launched from an npm package via npx, and the provided artifact set contains only SKILL.md, so the package implementation was not reviewed here.
"command": "npx", "args": ["-y", "doubletick-cli"]
Review the linked npm/GitHub project, prefer a known version, and install only if you trust the package maintainer.
Recipient open activity and device/timing metadata may be recorded by DoubleTick and made available through the tool.
The skill sends tracking pixels and stores or retrieves recipient open metadata, including device and timing information. This is disclosed and central to the product, but it is sensitive behavioral data.
the pixel fires and the open is logged ... with open count, device, and timing
Use tracking only where appropriate and lawful, avoid sending sensitive content unnecessarily, and review DoubleTick's privacy practices.