Is kit safe?

https://clawhub.ai/byungkyu/kit

82
SAFE

This is a documentation-only skill that provides Kit (ConvertKit) email marketing API integration via Maton's third-party gateway proxy. It contains no executable code, no install hooks, and exhibited clean behavior during installation. The primary concern is that all API traffic is routed through a third-party proxy service (gateway.maton.ai) which has full access to subscriber PII and OAuth tokens, representing a significant trust delegation that users should be aware of.

Category Scores

Prompt Injection 78/100 · 30%
Data Exfiltration 75/100 · 25%
Code Execution 90/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 65/100 · 5%

Findings (6)

MEDIUM All API traffic routed through third-party proxy -15

Every API call is proxied through gateway.maton.ai rather than going directly to api.kit.com. This means the Maton service has full visibility into all request and response data, including subscriber PII (email addresses, names, custom fields). Users are implicitly trusting a third party with their Kit account data.

MEDIUM Webhook creation allows arbitrary target URLs -10

The skill documents how to create webhooks with arbitrary target_url values. An agent could be instructed (or a prompt injection could cause it) to create webhooks that send subscriber activity data to attacker-controlled endpoints.

LOW Cross-reference to additional skill installation -7

The skill description includes a recommendation to install another skill ('api-gateway') with a direct URL. While not malicious, this creates a funnel that could lead users to install progressively more privileged skills.

LOW Inline shell execution patterns in code examples -15

Code examples use python heredoc patterns (python <<'EOF') that an LLM agent would execute directly via shell. While these are standard documentation patterns, they expand the execution surface if the agent auto-runs examples without user confirmation.

INFO OAuth token delegation to third-party service -35

The skill's architecture requires users to delegate their Kit OAuth token management to Maton. The gateway 'automatically injects your OAuth token', meaning Maton stores and manages the user's Kit credentials. This is a significant trust delegation beyond what a simple API wrapper implies.

INFO Clean install with no anomalous behavior -5

The skill installed cleanly with no network connections, no process spawning, and no filesystem modifications outside expected paths. All observed filesystem activity was from the platform's own install toolchain.