convertkit-automation

SUSPICIOUS. The skill's ConvertKit operations are coherent, and the Rube MCP endpoint appears officially tied to Composio, so this is not confirmed malware. However, all account data and actions are mediated through a third-party hosted MCP/OAuth service rather than direct Kit APIs, and the skill enables destructive real-world actions; that makes the data flow and trust model moderately risky.