ClawHub

API Gateway

v1.0.84

Connect to 100+ APIs (Google Workspace, Microsoft 365, GitHub, Notion, Slack, Airtable, HubSpot, etc.) with managed OAuth. Use this skill when users want to...

341· 68.8k·502 current·533 all-time
by@byungkyu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchasesRequires OAuth tokenRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (API gateway to 100+ services) matches the declared requirement (MATON_API_KEY) and the SKILL.md which documents calls to gateway.maton.ai and ctrl.maton.ai. The included reference docs (service routing, schemas) are consistent with a proxy that forwards native API calls.
Instruction Scope
SKILL.md only instructs making HTTP requests to Maton's gateway and control endpoints and shows examples for listing/creating/deleting connections and proxying native API calls. It does not instruct reading unrelated files or extra environment variables. However, the documented operations include powerful modify/delete endpoints (e.g., Notion create/update/delete, email send), so any agent action using this skill can modify user data in connected services if the user has authorized those connections.
Install Mechanism
Instruction-only skill with no install spec and no binaries to download — lowest installation risk. All runtime behavior is network calls to Maton endpoints as documented in SKILL.md.
Credentials
Only requests one environment variable (MATON_API_KEY), which is appropriate for an API gateway. Be aware that possession of this key allows the agent to call Maton APIs on your account: while SKILL.md states the key alone doesn't grant access to third-party services without explicit OAuth, the gateway and Maton backend will see requests and (once connections exist) can act on behalf of those connections.
Persistence & Privilege
always:false and user-invocable:true are normal. The skill can be invoked autonomously by the agent (disable-model-invocation:false), which is platform default; combined with the ability to call many modify-capable APIs, this increases the impact of agent-autonomous actions — consider restricting autonomous use if you don't want the agent to act on connected accounts without explicit confirmation.
Assessment
This skill is coherent for its stated purpose, but it relies on trusting Maton (gateway.maton.ai / ctrl.maton.ai). Before installing, consider: (1) Only provide MATON_API_KEY if you trust Maton—the gateway will see proxied requests and can act on authorized connections. (2) Review Maton’s privacy/security and API key controls (scopes, rotation, revocation). (3) Be cautious about enabling autonomous invocation for agents that have this key—agents could send messages, modify documents, or delete content in connected services. (4) When possible, limit which Maton connections you create and avoid authorizing high-risk accounts until you’ve verified behavior. (5) If you need higher assurance, ask the vendor for security docs (audit logs, data retention, encryption, least-privilege onboarding) or run actions manually rather than granting agent autonomy.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e7g4js4j81xg41g1hgawjth84xph1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🧠 Clawdis
EnvMATON_API_KEY

Comments