API Gateway

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This looks like a legitimate API gateway skill, but it deserves Review because it gives agents broad credentialed power over many live business services and includes some unsafe or under-scoped guidance.

Install only if you trust Maton with access to the connected accounts and are comfortable approving live API actions. Use least-privilege OAuth scopes, specify the exact connection, start with read-only calls, require explicit confirmation for every write/delete/send/admin action, avoid printing MATON_API_KEY, and revoke unused connections after the task.

SkillSpector (148)

By NVIDIA

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The reference explicitly instructs users to send media uploads directly to pre-signed `www.linkedin.com` URLs instead of staying within Maton-managed gateway routes. Even if required by LinkedIn's upload design, this bypasses the skill's stated routing boundary, reducing centralized policy enforcement, logging, and egress control and making SSRF/data-exfiltration style abuse easier if upload URLs are mishandled or spoofed.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The sample code performs a direct outbound `urllib.request.urlopen(upload_req)` to a runtime-provided `upload_url`, which bypasses the Maton gateway and its controls. Because the URL comes from an API response and is then used for raw outbound traffic, the skill enables network access outside the declared trust boundary and could be abused if URL validation or host restrictions are absent.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The schema explicitly exposes a destructive capability via the `in_trash` field and a 'Trash data source' example, even though the skill metadata emphasizes starting with read/list operations and only acting on named user tasks. This increases the chance an agent will treat a schema-update tool as also acceptable for deletion-like operations, leading to accidental or insufficiently authorized data loss.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The tool is presented as updating schema, title, or attributes, but it also permits trashing the data source through both the example and the `in_trash` parameter. This mismatch is dangerous because an agent or user may select the tool expecting non-destructive metadata changes while unknowingly invoking a destructive state change.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The reference exposes a very broad set of Slack capabilities, including read, write, destructive, and administrative actions, while the skill metadata only generically describes routing through managed API routes and merely advises starting with read/list calls. This mismatch can mislead an agent into believing high-risk actions are in-scope, increasing the chance of unauthorized modification, deletion, or overcollection of workspace data.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The documented channel lifecycle and membership-management operations enable impactful administrative changes such as creating, renaming, archiving channels, and inviting or removing users. In the context of a generic API-gateway skill, these capabilities are more dangerous because they exceed simple routing/reference behavior and could be abused to disrupt collaboration or alter workspace access.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The troubleshooting section instructs users to run `echo $MATON_API_KEY`, which prints a bearer secret directly to the terminal. Even though the document elsewhere says not to expose the key, this command increases the risk of shoulder-surfing, shell history capture, terminal logging, screenshots, or recording leakage.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The README includes multiple state-changing and destructive operations such as creating, updating, canceling, rescheduling, and deleting resources, but provides no cautionary guidance, confirmation requirements, or safety constraints. In an agent skill context, this increases the chance that an agent will invoke mutating endpoints directly from ambiguous user requests, leading to unauthorized or accidental changes to appointments, clients, or calendar blocks.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The reference documents create, update, and delete endpoints with ready-to-use examples but does not clearly warn that these operations modify or permanently remove Airtable data. In an agent skill context, this increases the chance that an automated agent or user will invoke destructive actions without adequate confirmation, especially since the skill is intended to connect to live external services.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The reference documents create and update operations for contacts and accounts but does not clearly warn that these calls modify live remote CRM data. In an agent skill, that omission increases the chance an agent will perform state-changing actions without explicit user confirmation, causing unintended record creation or modification in a real customer environment.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: Adding contacts to sequences is a state-changing action that can alter outreach workflows and may lead to automated messaging or campaign enrollment. Without a warning about these downstream effects, an agent could trigger customer-facing communications or sales workflow changes unintentionally.

Missing User Warnings

Medium

Confidence: 78% confidence
Finding: The webhook creation example instructs sending Asana event data to an arbitrary external URL without any privacy, trust-boundary, or data handling warning. In an agent context that connects to external services, this can normalize exfiltration of task/project metadata to third-party endpoints and increase the chance of unauthorized data disclosure.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: This reference explicitly documents create, update, and delete CRM record operations but provides no warning, confirmation guidance, or safety constraints around modifying live customer data. In an agent skill context, that omission increases the chance an agent will perform destructive actions from ambiguous or incomplete user prompts, leading to accidental data loss or unauthorized changes.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The document exposes routes for workspace members, self identity, notes, comments, meetings, and call recordings, all of which may contain sensitive personal, internal, or communications data, yet it gives no privacy, authorization, or disclosure warning. In an API gateway skill, this can normalize broad access to sensitive data and increase the risk of over-collection or disclosure to unauthorized users.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The reference documents destructive delete operations, including recursive folder deletion, without any caution about confirmation, scope validation, or recovery implications. In an agent skill, this increases the chance that an LLM or user will invoke high-impact deletion actions without understanding that they can remove large amounts of data.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The shared-link example shows creating an open link without warning that it can expose folder contents to anyone with the URL. In a gateway skill used by agents, omission of this warning can lead to unintended public data disclosure and integrity risks through oversharing.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The collaboration examples permit granting external access to folders without warning that this changes who can view or modify user data. In an agent context, that omission can cause accidental sharing with outside accounts and unauthorized data exposure or modification.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The reference includes multiple state-changing and destructive operations such as creating, updating, deleting contacts, creating lists/folders, sending emails, and sending campaigns, but it provides no explicit warning, confirmation guidance, or safety constraints around irreversible or externally visible actions. In an agent skill context, this increases the chance that an LLM-driven workflow may perform impactful actions on production marketing data or send communications without adequate user confirmation.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The README documents multiple destructive and privacy-impacting operations such as profile updates, booking creation/cancellation, schedule deletion, and webhook management, but provides no explicit warning, confirmation guidance, or safe-use constraints beyond a general suggestion to start with read/list calls. In an agent skill, this can normalize unsafe execution of high-impact actions from ambiguous user prompts and increase the chance of unauthorized or accidental changes to a user's scheduling configuration and data flows.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The reference includes create, update, cancel, and billing-related POST actions that can change customer accounts and subscriptions, but it provides no warning to verify user authorization, confirm destructive intent, or prefer read-only discovery before mutation. In an agent skill that routes authenticated API calls to a live billing system, this increases the chance of unintended account changes, subscription cancellation, or payment-flow actions being performed from ambiguous or insufficiently verified prompts.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The examples and endpoints handle customer names, emails, invoices, transactions, portal sessions, and payment-source management, but the README lacks any privacy or data-minimization warning. Because the router automatically injects authenticated access to a real Chargebee tenant, an agent may retrieve, expose, or act on sensitive customer and billing data without sufficient caution, increasing the risk of privacy violations or unauthorized data handling.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The reference exposes multiple state-changing and user-impacting operations, including sending SMS/MMS/voice messages and deleting templates, lists, contacts, and email addresses, without any safety guidance or requirement for confirmation. In an agent skill, this increases the chance that an LLM will invoke destructive or billable actions directly from ambiguous user input, causing unwanted charges, data loss, or unsolicited communications.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The reference documents multiple state-changing and destructive operations such as creating, updating, and deleting tasks, spaces, folders, lists, and webhooks, but does not include explicit cautions, confirmation requirements, or guidance to verify user intent before execution. In an agent skill context, this increases the chance that an LLM-driven agent will perform irreversible or high-impact actions based on ambiguous prompts or parameter confusion.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The reference documents destructive operations such as deleting projects without any guardrails, confirmation guidance, or warnings about irreversible impact. In an agent skill, this increases the chance the agent will invoke deletion directly from user prompts or ambiguous context, causing unintended data loss in a real Clockify workspace.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The reference exposes numerous write and destructive operations but provides no operational safety guidance such as confirmation requirements, authorization expectations, or recommendations to prefer read-only calls before mutation. In an agent skill context, documentation shapes agent behavior, so omission of caution around deletes, updates, webhook creation, and uploads increases the chance of unsafe or unintended state-changing actions.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal