ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Api Gateway 1.0.70

v1.0.0

Connect to 100+ APIs (Google Workspace, Microsoft 365, GitHub, Notion, Slack, Airtable, HubSpot, etc.) with managed OAuth. Use this skill when users want to...

0· 70·3 current·4 all-time
byandrethedev@andre-thedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description describe a passthrough API gateway; SKILL.md only asks for MATON_API_KEY and shows calls to Maton gateway/control URLs — these are coherent with the declared purpose (proxying many third‑party APIs via Maton).
Instruction Scope
Runtime instructions limit actions to calling Maton endpoints (gateway.maton.ai, ctrl.maton.ai, connect.maton.ai) and using MATON_API_KEY. That stays within the stated purpose. However, the gateway lets the agent make arbitrary proxied requests to any third‑party APIs the Maton account has connections for, which is a powerful capability: the agent could read or modify data in any connected service. SKILL.md does not instruct the agent to read local files or other env vars.
Install Mechanism
Instruction-only skill with no install spec and no code files; nothing is downloaded or written to disk by an installer, which is low technical risk.
!
Credentials
Only one environment variable is required (MATON_API_KEY), which is proportionate to a managed-gateway integration. But that single key can be high‑value: possession of it lets the holder call the gateway on behalf of the Maton account and access any third‑party connections already authorized in that account. Ensure the key is scoped, rotated, and limited where possible.
Persistence & Privilege
always:false and no special OS/config paths requested. Model invocation is allowed (default) — that is normal. Note: autonomous invocation combined with the gateway's broad access increases potential blast radius, but the skill does not request privileged platform flags like always:true.
What to consider before installing
This skill appears to be a documented Maton API gateway and only requires a MATON_API_KEY to operate. Before installing: (1) Confirm the skill publisher and owner identity (there are metadata/version mismatches in the packaged files that look like sloppy packaging); (2) Understand that the MATON_API_KEY is powerful — it permits the skill to proxy requests to any third‑party service your Maton account has connected, so remove or restrict unneeded connections first; (3) Limit the API key's scope and rotate it after use where possible; (4) If you rely on strict data controls, review which services are connected in your Maton account and consider creating a separate Maton account/key for this integration; (5) If the metadata mismatches (ownerId and version differences) worry you, ask the registry maintainer or the publisher (maton.ai) for provenance/packaging clarification before proceeding.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dczs9j27jx31avbgtmh69ws83chzm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🧠 Clawdis
EnvMATON_API_KEY

Comments