Acuity Scheduling
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent Acuity Scheduling integration, but it relies on Maton OAuth/API keys and can access or change appointment, calendar, and client data.
Before installing, make sure you trust Maton/api.maton.ai, connect only the intended Acuity account, use the Maton-Connection header when multiple accounts exist, and require explicit confirmation for any create, update, or delete action.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone using the skill can make authenticated requests within the connected Acuity Scheduling account's allowed scope.
The skill requires a Maton API key and delegated OAuth access to the user's Acuity account. This is expected for the integration, but it is sensitive account authority.
All requests require the Maton API key in the Authorization header: Authorization: Bearer $MATON_API_KEY
Only install/use this if you trust Maton and the connected Acuity account is the intended one; revoke or delete the connection when it is no longer needed.
Approved actions could create, reschedule, cancel, update, or delete scheduling-related business data.
The skill can perform write operations against appointments, calendars, clients, or availability. The explicit approval requirement is a useful control, but users should notice the mutation capability.
**All write operations require explicit user approval.** Before executing any create, update, or delete call, confirm the target resource and intended effect with the user.
Confirm the exact account, resource, time, client, and action before any create, update, or delete request.
Scheduling and client information may pass through Maton's service while using the skill.
Requests and responses are routed through Maton's API gateway, which is purpose-aligned but means appointment/client data and OAuth-backed operations involve a third-party proxy.
Maton proxies requests to `acuityscheduling.com` and automatically injects your OAuth token.
Review Maton's privacy/security posture and avoid sending unnecessary sensitive client details through the integration.
Users have less registry-level information for verifying who maintains the skill before granting account access.
The registry metadata does not provide a source repository or homepage, which is a provenance gap for a credentialed third-party integration, though no installable code is present.
Source: unknown; Homepage: none
Verify the Maton service and publisher independently before connecting OAuth or storing MATON_API_KEY.