Api Gateway 1.0.70

Security checks across malware telemetry and agentic risk

Overview

This skill is a broad live API gateway that is mostly coherent, but it under-discloses some non-OAuth credential models and exposes high-impact write/delete/admin actions without consistent safety guidance.

Install only if you trust Maton with brokered access to the connected services and are prepared to manage scopes carefully. Treat every POST, PUT, PATCH, DELETE, send, publish, permission, billing, and admin endpoint as a live production action; require explicit user confirmation and verify target IDs/accounts before use. Pay special attention to integrations documented as API-key based, because they do not match the top-level OAuth-only security description.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (64)

Intent-Code Divergence

Medium

Confidence: 88% confidence
Finding: The README states that Baserow uses API key authentication rather than the skill's stated managed OAuth connect flow, creating a security model mismatch. In an API-gateway skill that claims per-user authorized access, introducing service-specific API keys can bypass expected consent, scoping, auditability, and secret-handling controls, which can lead to unauthorized cross-tenant or over-scoped access if implemented as documented.

Scope Creep

Medium

Confidence: 91% confidence
Finding: The README documents file upload endpoints while also claiming that database tokens grant access only to database row endpoints, which is an inconsistent and potentially dangerous capability description. Such mismatches can cause agents or users to assume broader permissions are available than intended, increasing the risk of unintended data exfiltration, unsafe file handling, or use of credentials beyond their true scope.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The README states 'Uses API key authentication,' which directly contradicts the skill metadata stating third-party access requires explicit user OAuth authorization through Maton's connect flow. This kind of misleading authentication guidance can cause agents or developers to design flows that mishandle credentials, bypass expected consent assumptions, or request/store secrets incorrectly.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The reference states that fal.ai uses API key authentication rather than the skill's declared managed OAuth connection model. In an API-gateway skill, this mismatch can mislead an agent or developer into handling third-party credentials outside the approved authorization flow, increasing the risk of secret collection, bypass of user-consent boundaries, or insecure integration behavior.

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: The README states Manus uses API_KEY authentication, which conflicts with the skill metadata claim that third-party services require explicit user OAuth authorization through Maton's connect flow. This mismatch can cause an agent or operator to treat a raw API-key-backed integration as if it were user-scoped OAuth, creating a serious risk of unauthorized access, overbroad access, or policy bypass.

Intent-Code Divergence

Medium

Confidence: 91% confidence
Finding: The schema documentation and examples instruct callers not to use database_id for page creation in ambiguous database setups and instead rely on fetch-derived data_source_id, but the actual input schema still permits database_id. This mismatch can cause agents or integrations to select an unsafe or invalid parent target, leading to misdirected content creation, failed operations, or bypass of intended workflow validation based on fetched data source context.

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: The reference explicitly states Reducto uses API key authentication, which conflicts with the skill-level security statement claiming third-party services require explicit user OAuth authorization. This mismatch can mislead users and downstream agents about the trust boundary and consent model, potentially causing sensitive documents to be sent to an external service under weaker or different authorization assumptions.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The documentation includes examples that perform state-changing third-party actions, such as posting Slack messages and creating HubSpot contacts, without prominent warnings or requiring explicit confirmation. In an agent setting, copyable examples like these can normalize destructive operations and increase the risk of unintended actions against connected user accounts.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The README documents write-capable operations such as creating and updating contacts/accounts without any explicit warning that these actions modify data in a remote third-party CRM. In an agent skill context, that omission increases the risk of accidental destructive or unauthorized business-data changes because users or downstream agents may treat the examples as harmless reference calls rather than state-changing operations.

Missing User Warnings

Medium

Confidence: 85% confidence
Finding: The enrichment and email-query examples involve personal data such as email addresses, LinkedIn URLs, contact identities, and message metadata, but the documentation does not warn that these requests may process sensitive personal or regulated business information. In a multi-API agent environment, this can lead to inappropriate collection, enrichment, or querying of personal data without adequate user awareness, consent checks, or minimization.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: Stating that authentication is automatic and the router injects the API key without clearly warning that requests are sent to an external service using stored credentials can mislead users into underestimating the real-world effects of invoking the skill. In an agent setting, this increases the chance of unintended external API calls against live accounts and reduces informed consent around credentialed access to third-party systems.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The documentation explicitly includes write-capable and destructive Basecamp operations such as creating projects, creating todos, completing todos, and trashing recordings, but it does not warn that these actions modify or delete user data. In an API gateway skill that brokers access to third-party SaaS accounts via OAuth, this omission increases the chance that an agent or user will invoke state-changing endpoints without clear confirmation or awareness of the consequences.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The README documents access to account data and operational posting capabilities while also describing API key authentication, but provides no warning about sensitive personal data, credential handling, or the need for user-scoped authorization. In an agent skill that connects to external services, this increases the chance of improper secret collection, overbroad data access assumptions, or unsafe automation against user social accounts.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The documentation includes a destructive delete operation for projects without any guidance to require user confirmation, validate intent, or warn about irreversible effects. In an agent/tooling context, this increases the chance that an LLM-driven workflow could invoke deletion based on ambiguous user input or incomplete authorization checks.

Missing User Warnings

Low

Confidence: 71% confidence
Finding: The time-entry examples handle user activity and work-pattern data, which can reveal sensitive behavioral information, but the reference provides no privacy or consent guidance. In an agent skill, omission of these warnings can lead to over-collection, retrieval, or modification of employee activity data without sufficient user awareness.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The reference explicitly documents create/update/delete endpoints, including document deletion, without any warning that these operations are destructive or require explicit user confirmation. In an agent skill that enables actions against third-party services, omission of safety guidance increases the risk that downstream agents or users invoke destructive operations unintentionally.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The permissions section documents endpoints that can add or remove document access without warning that they modify sharing and authorization state. In a managed OAuth gateway, these calls operate on real user-authorized resources, so undocumented access-control changes can lead to unintended exposure or revocation of access.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The reference documents create, update, comment, and delete Confluence operations but provides no warning that these actions modify remote tenant data or may be irreversible. In an agent-skill context, this increases the chance an agent will invoke state-changing endpoints without explicit user confirmation, causing unintended content changes or deletion in a user's connected Confluence workspace.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The README documents high-impact administrative actions such as suspending, unsuspending, and removing members, including options like data wiping and account transfer, without any caution that these operations are disruptive or potentially irreversible. In an agent skill context, this increases the chance that an automated workflow or unsuspecting user triggers destructive changes to a live Dropbox Business tenant without explicit confirmation or understanding of consequences.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The documentation exposes a permanently_delete team folder operation with no warning that it is irreversible and can destroy organizational data. Because this skill is an API gateway for live third-party services, omission of a clear caution materially raises the risk of accidental or automated permanent data loss in a production Dropbox environment.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The README explains use of the Dropbox-API-Select-User header to access files on behalf of a member, which is effectively an impersonation capability, but does not warn about privacy, authorization, and audit implications. In a multi-service agent environment, such documentation can normalize broad delegated access and make it easier to misuse legitimate admin scopes to inspect employee data without clear user awareness or policy checks.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The README explicitly states that authentication is automatic and describes sending search queries, URLs, and content-extraction requests to an external service, but it does not warn that user-provided data may be transmitted to Exa or that retrieved page contents may include sensitive information. In an agent setting, this omission can lead developers or users to unknowingly route confidential prompts, internal URLs, or private research targets to a third-party API.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README explicitly documents state-changing operations against a live marketing platform, including creating, updating, and deleting contacts and sending newsletters, without any guidance to require user confirmation or highlight that these actions can modify customer records and trigger outbound communications. In an agent skill context, this increases the risk that an agent will treat destructive or customer-facing operations as routine API calls, leading to accidental data loss, unauthorized contact changes, or unintended bulk email sends.

Missing User Warnings

Medium

Confidence: 85% confidence
Finding: The README explicitly documents write-capable Google Ads mutate operations that can create campaigns and enable them, but it provides no warning, confirmation guidance, or guardrails around account-impacting actions. In the context of an API gateway skill that connects to real user-authorized ad accounts, this increases the chance an agent or user will treat destructive or billing-impacting operations as routine examples and execute them without sufficient consent.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The documentation exposes a destructive DELETE operation for calendar events without any guidance to require user confirmation, preview the target event, or verify user intent. In an agent/tooling context, this increases the chance of accidental or prompt-induced deletion of user data because the model is given a ready-to-use destructive endpoint with no safety guardrails described.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal