Pakat Email Marketing
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: pakat Version: 1.1.2 The OpenClaw skill bundle for Pakat email marketing API is classified as benign. All files consistently describe interaction with the `new.pakat.net` API using a `PAKAT_API_KEY`. The `SKILL.md` explicitly advises on 'Safe encoding' using heredocs to prevent shell injection when handling user-provided HTML content, demonstrating security awareness rather than malicious intent. There is no evidence of data exfiltration, unauthorized command execution, persistence, or prompt injection attempts against the agent.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or unintended command could create or schedule emails to subscribers.
The skill documents curl-based API calls that can create scheduled email campaigns. This is aligned with the stated email marketing purpose, but campaign sending can affect many recipients.
### Create and send a campaign ```bash curl -s -X POST -H "X-API-KEY: $PAKAT_API_KEY" ... "https://new.pakat.net/api/campaigns" ```
Before allowing campaign or transactional email actions, verify recipients, list IDs, subject, sender, timing, and content.
Deleting lists, subscribers, campaigns, or templates could remove business data or disrupt marketing operations.
The API reference includes destructive operations for lists, subscribers, and campaigns. These are normal management functions for an email marketing API, but they should be user-confirmed.
| DELETE | /lists/{list_uid} | Delete list |
| DELETE | /lists/{list_uid}/subscribers/{subscriber_uid} | Delete subscriber |
| DELETE | /campaigns/{campaign_uid} | Delete campaign |Use read-only/listing commands first, confirm object IDs, and require explicit user approval before delete or bulk-modification requests.
Anyone or any agent action using the API key may be able to view or change Pakat account resources allowed by that key.
The skill requires a Pakat API key to authenticate requests. This credential use is disclosed and purpose-aligned, but it grants delegated access to the user's Pakat account.
Require env var `PAKAT_API_KEY`. If not set, ask the user for their API key.
Use a least-privilege Pakat API key if available, keep it in the environment rather than chat when possible, and rotate it if exposed.