ClawAudit verdict
kit-email-operator
Email marketing automation for ConvertKit/Kit using a user-provided v4 API key; generates email copy and schedules broadcasts through the Kit API for the stated email marketing purpose.
⚠ Flagged for review — coarse, uncorroborated signal, not a confirmed exploit. Review the config yourself before installing.
Automated static analysis — not a human review. ClawAudit flags capabilities, not confirmed intent, and can produce false positives. Disagree with this verdict? Use Dispute below.
Findings (5)
Recursive delete from root or home — destructive command
INSTALLATION.md · code · rm -rf ~
Possible hardcoded credential
INSTALLATION.md · prose · downgraded · secret="NEW_SECRET
References agent memory files
SETUP.md · code · MEMORY.md
Popular HTTP library — network access
SKILL.md · code · Got
Node http/https module — low-level network access
scripts/kit-api.js · prose · downgraded · require('https')
Permissions & capabilities
No declared permissions — minimal attack surface.
network_in Is this flag fair?
Thanks — recorded.