pp-klaviyo

SUSPICIOUS: the skill’s Klaviyo-focused capabilities mostly fit its stated purpose, but its trust boundary is weak. It installs and relies on third-party binaries from a different publisher identity, can route results to arbitrary webhook endpoints, and enables non-interactive real-world actions like sending campaigns and messages. This is not confirmed malware, but it is high-risk for credential exposure, exfiltration, and unintended account actions.