Klaviyo

Name: klaviyo
Author: byungkyu

Share on X Share on LinkedIn Share on Bluesky

70High

The skill encourages Python code execution, enabling arbitrary commands and access to sensitive environment variables like MATON_API_KEY.

ThreatsCI SM CS BC S HITL

Behavior Analysis

Description verified — behavior matches claim

Claims to do

Klaviyo: Access the Klaviyo API with managed OAuth authentication. Manage profiles, lists, segments, campaigns, flows, events, metrics, templates, catalogs, and webhooks for email marketing and customer engagement.

Actually does

This skill acts as a proxy to the Klaviyo API via `https://gateway.maton.ai/klaviyo/{native-api-path}`. It uses `urllib.request` (Python) or `fetch` (JavaScript) to send authenticated HTTP requests with a `MATON_API_KEY` and a `revision` header. It also interacts with `https://ctrl.maton.ai` to manage Klaviyo OAuth connections, allowing management of various Klaviyo resources like profiles, lists, campaigns, events, templates, and webhooks.

Threat Analysis

AI Agent Traps ↗Scanned 4/15/2026

Content InjectionPerceptionclean

Semantic ManipulationReasoningclean

Cognitive StateMemory & Learningclean

Behavioural ControlAction1 finding

SystemicMulti-Agent Dynamicsclean

Human-in-the-LoopHuman Overseerclean

Skill Info

Namebyungkyu/klaviyo

Registryclawhub

Version1.0.4

PURLpkg:clawhub/byungkyu/klaviyo@1.0.4

Stars9

Downloads15,714

Installs13

Source

Repository ↗

SHA-256c655611b4780...

SHA-112a34d367817...

MD5c0bc389565d2...

TLSHcaf28483b401...

ssdeep768:J9ps9q19...

Size36,754 bytes

Install

This skill has been flagged as potentially malicious. Review the findings below before installing.

OpenClawDocs

https://clawhub.ai/byungkyu/klaviyo

15,714 downloads13 installs

ClawHubDocs

openclaw skills install byungkyu/klaviyo

Assessments (1)

AI Agent Traps ↗

Arbitrary Python Code Execution with Credential Accesshighcommand execution

The skill explicitly provides and encourages the execution of Python code snippets, which grants the agent the capability to run arbitrary commands and access sensitive environment variables like MATON_API_KEY.

100% confidenceline 20

python <<'EOF' import urllib.request, os, json req = urllib.request.Request('https://gateway.maton.ai/klaviyo/api/profiles') req.add_header('Authorization', f'Bearer {os.environ["MATON_API_KEY"]}') ... EOF

Badge

Markdown

[![Mondoo Skill Check](https://mondoo.com/ai-agent-security/api/badge/clawhub/byungkyu/klaviyo.svg)](https://mondoo.com/ai-agent-security/skills/clawhub/byungkyu/klaviyo)

HTML

<a href="https://mondoo.com/ai-agent-security/skills/clawhub/byungkyu/klaviyo"><img src="https://mondoo.com/ai-agent-security/api/badge/clawhub/byungkyu/klaviyo.svg" alt="Mondoo Skill Check" /></a>

Image URL

https://mondoo.com/ai-agent-security/api/badge/clawhub/byungkyu/klaviyo.svg

Secure your AI agents

Skills can read files, run commands, and access credentials. Mondoo helps organizations manage the security risks of AI agent skills across their entire fleet.

Continuous scanning of skills across all registries
Policy enforcement before skills reach your agents
Integration with your existing security workflow