Api Gateway Tmp

Security checks across malware telemetry and agentic risk

Overview

This skill is a broad API gateway that appears legitimate, but it gives agents high-impact access to many external services with inconsistent auth documentation and weak safeguards for write, delete, billing, admin, and webhook actions.

Install only if you trust Maton with gateway access to the connected services you authorize. Treat the MATON_API_KEY as sensitive, connect only the services and scopes you need, and require explicit user confirmation before any write, delete, billing, admin, posting, scheduling, or webhook action. Be aware that not every supported service appears to use OAuth; some references indicate API-key based connections.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (69)

Intent-Code Divergence

Medium

Confidence: 91% confidence
Finding: The reference explicitly says Baserow uses API key authentication rather than OAuth, which conflicts with the skill-level security description that emphasizes managed OAuth for connected services. This mismatch can mislead agents or users about trust boundaries, token handling, revocation, and consent flows, increasing the risk of improper credential collection or unsafe assumptions about scoped access.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The README states 'Uses API key authentication,' which conflicts with the skill metadata stating that third-party access requires explicit user OAuth authorization and that the MATON_API_KEY alone does not grant service access. In an API-gateway skill, inaccurate authentication guidance can cause downstream agents or integrators to mis-handle credentials, assume broader access than actually exists, or implement insecure flows that bypass expected OAuth consent checks.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The README states that fal.ai 'Uses API key authentication (not OAuth)', which conflicts with the skill's stated security model that third-party services require explicit user OAuth authorization through Maton's managed connect flow. This discrepancy can mislead implementers into designing direct API-key based integrations, bypassing expected consent and credential-handling controls and increasing the chance of improper secret collection or unauthorized service access patterns.

Intent-Code Divergence

High

Confidence: 97% confidence
Finding: The reference explicitly says the Manus connection uses API_KEY authentication, which directly contradicts the skill metadata claiming third-party services require explicit user OAuth authorization through Maton's connect flow. This kind of security-boundary mismatch can cause users or downstream agents to overtrust the integration and send requests under the false assumption that user-scoped OAuth protections are in place.

Description-Behavior Mismatch

High

Confidence: 96% confidence
Finding: The README documents a non-OAuth API-key-based integration, which conflicts with the skill description that presents the gateway as using managed OAuth for external services. That discrepancy is security-relevant because it misrepresents the trust model, authorization flow, and expected consent boundaries, increasing the risk of unauthorized access or unsafe agent behavior.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The skill's invocation guidance says to use it when users want to interact with external services, which is extremely broad for a capability that can issue arbitrary authenticated requests to more than 100 third-party APIs. In an agent setting, that over-broad routing increases the chance the skill is selected for sensitive or destructive operations without narrow eligibility checks or explicit confirmation.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The markdown includes examples that post Slack messages, create HubSpot contacts, create connections, and delete connections, but it does not prominently warn that these are real state-changing operations requiring explicit user approval. In an agentic environment, example code often becomes operational guidance, so omission of safety warnings can lead to unintended writes, spam, account changes, or revocation of access.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: This README exposes multiple state-changing scheduling operations such as creating, updating, canceling, and rescheduling appointments, as well as creating and deleting blocks, without any warning that these actions affect live customer calendars and availability. In an agent skill context, documentation often drives automated tool use, so omission of confirmation and safety guidance increases the risk of unintended destructive or business-impacting actions against user-authorized third-party accounts.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The reference explicitly documents create, update, replace, and delete Airtable operations but provides no warning that these actions mutate or permanently remove user data. In an agent skill context, this increases the chance an agent will invoke destructive endpoints without clear user confirmation or safety checks, leading to unintended record corruption or deletion in authorized bases.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README documents write-capable endpoints for creating contacts/accounts and updating contacts without clearly warning that these operations change live Apollo CRM data. In an agent skill context, this increases the chance that an LLM or user will invoke destructive or unintended state-changing actions under the assumption that the examples are informational or low-risk.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The note that authentication is automatic via an injected API key omits a clear warning that requests send user data to the external Apollo service using connected credentials. In a multi-API agent environment, this can mislead developers or users into underestimating that sensitive prompts, identifiers, and enrichment targets may be transmitted to and acted on by a third party.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The webhook example encourages sending Asana event data to an arbitrary external URL without warning about data exposure, endpoint trust, or signature validation. In an agent context, this can normalize exfiltrating task or project metadata to third-party infrastructure and may lead users to configure insecure or attacker-controlled webhook targets.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The reference documents state-changing and destructive Basecamp operations such as creating projects, creating todos, completing todos, and trashing recordings, but it does not warn that these actions modify user data or may be irreversible. In an agent skill that brokers authenticated access to third-party services, this increases the risk that an agent or user invokes mutating endpoints without clear confirmation or understanding of the consequences.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The README exposes examples for sensitive and destructive billing operations such as canceling subscriptions, creating hosted checkout/payment flows, creating portal sessions, and downloading invoice PDFs, but it provides no warning that these actions can affect customer billing state, expose financial documents, or initiate account-management flows. In an agent skill, documentation often drives tool use directly, so omission of safety guidance increases the risk of unintended destructive or privacy-impacting actions by an automated agent or user.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The documentation includes destructive operations such as contact deletion without any warning, confirmation guidance, or mention of irreversible effects. In an agent/tooling context, this increases the chance that an LLM or user will invoke deletion based on ambiguous instructions, causing unintended data loss in an authorized third-party account.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The webhook creation example enables sending event data to an arbitrary external URL but does not warn that this configures ongoing external data transmission. In an agent-integrated API gateway, this can be abused to exfiltrate customer or business data to attacker-controlled infrastructure under the guise of normal automation.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The README exposes destructive delete operations for matters without any warning, confirmation guidance, or mention of authorization/user-consent requirements. In an agent skill that can act on real third-party legal data, this increases the chance an agent or integrator will invoke irreversible actions from loosely validated prompts or mistaken IDs.

Missing User Warnings

Low

Confidence: 79% confidence
Finding: The README documents document download and user/contact retrieval endpoints that can expose sensitive legal and personal data, but provides no privacy or data-handling warning. In a legal-services context, omission of sensitivity guidance can lead agents to over-collect, over-display, or transfer confidential client information unnecessarily.

Missing User Warnings

High

Confidence: 80% confidence
Finding: The documentation includes a permanently destructive endpoint for team folders without clearly stating that deletion is irreversible and may cause data loss. In an agent skill that helps users invoke external APIs, omission of such warnings increases the chance of accidental execution of high-impact admin actions by users or downstream agents.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The README explains how to use `Dropbox-API-Select-User` to access a member's files but does not warn that this enables delegated access to potentially sensitive personal or business data. In the context of an API-gateway skill, this omission can normalize privacy-invasive actions and increase the risk of overbroad or poorly understood access by users and agents.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The README recommends webhooks via '?fal_webhook=URL' without warning that request metadata and possibly result-related data will be sent to an external callback endpoint. In an agent skill that connects to external services, this can cause unintended exfiltration to attacker-controlled URLs or SSRF-style misuse if users or downstream tools supply untrusted webhook destinations.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The documentation prominently includes mutating GitHub operations such as creating issues, creating pull requests, and merging pull requests, but it does not clearly warn that these actions change remote state in a user’s GitHub account or repository. In an agent skill that brokers OAuth-backed access to external services, this can lead users or downstream agents to invoke destructive or sensitive actions without sufficient awareness or confirmation, increasing the risk of unintended repository modifications.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The README includes concrete mutate examples for creating campaigns and enabling them on live Google Ads accounts, but it does not warn that these operations modify real ad infrastructure or may incur spend. In an agent skill that brokers authenticated access to external services, this increases the chance that an agent or user will execute state-changing actions without explicit confirmation or awareness of business impact.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The README highlights endpoints for listing and creating Measurement Protocol secrets without any warning that these values are sensitive credentials tied to server-side event ingestion. In an agent skill context that automatically injects OAuth tokens, normalizing access to secret-management operations without credential-handling guidance increases the chance of accidental exposure, insecure storage, or misuse of those secrets.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The README explicitly documents create, update, patch, quick-add, and delete calendar operations but does not warn that these actions can modify or remove real user calendar data, send invites, or disrupt schedules. In an agent skill context, this omission increases the chance that downstream agents or users invoke destructive endpoints without appropriate confirmation or understanding of impact.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal