ClawHub
Back to skill

Security audit

API Gateway

Security checks across malware telemetry and agentic risk

Overview

This skill is a broad but coherent API gateway for user-approved third-party integrations; it carries real data-sharing risk but does not show hidden or malicious behavior.

Install only if you trust Maton with the connected services. Use the narrowest OAuth scopes, confirm every write, trigger, destination, and deletion with exact resource IDs, avoid broad Slack or webhook scopes, and do not forward email, payment, meeting, or location data unless that specific data sharing is intended.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The document states that connection creation requires explicit user approval, yet the adjacent examples directly execute `maton connection create slack` and `POST /connections` with no confirmation gate. In an agent setting, examples are often followed verbatim, so this inconsistency can lead to unauthorized OAuth/app connections being created and broader third-party access being granted without a fresh consent step.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The section claims trigger updates are limited to metadata, but the documented request body includes `status`, which can enable, disable, or otherwise alter runtime behavior. That mismatch can cause agents or operators to underestimate the side effects of the call and perform operational changes without the higher scrutiny normally applied to state-changing actions.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The reference explicitly instructs the agent to send upload traffic directly to LinkedIn pre-signed URLs outside the Maton-managed gateway. Even though pre-signed uploads are a legitimate API pattern, this bypasses the platform’s routing, policy enforcement, auditing, and network-boundary controls, increasing the risk of uncontrolled outbound requests or misuse of externally supplied URLs.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The sample code performs a direct HTTP PUT to an externally returned upload URL, normalizing behavior where the agent leaves the managed gateway and trusts a URL from a prior response. This creates a server-side request risk surface and weakens centralized enforcement, because a compromised or malformed response could steer the agent to unexpected destinations.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The reference documents precise location headers such as latitude, longitude, city, state, and postal code without any warning that using them may transmit sensitive location data to an external third-party service. In an API gateway skill, this omission can lead an agent or user to send precise geolocation unnecessarily, creating privacy and compliance risk even though the endpoint itself is read-only.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The reference file includes realistic webhook payloads containing personal data and meeting-related metadata such as names, email addresses, cancellation reasons, scheduling details, and meeting join URLs. Even though some values are example data, publishing this structure without guidance on sensitive-data handling increases the risk that downstream consumers will log, store, or expose equivalent production webhook contents unsafely.

Vague Triggers

Medium
Confidence
88% confidence
Finding
This schema describes a destructive/update-capable operation that can rename, drop, alter, or trash a Notion data source, but the file itself does not encode strong invocation guardrails beyond a description note to confirm trashing. Because the accepted inputs are broad free-form DDL statements, an agent or caller with weak upstream controls could perform unintended structural changes or data loss on the wrong resource.

Vague Triggers

Low
Confidence
84% confidence
Finding
The `reaction.added` trigger explicitly permits omitting `channel_id`, which causes the trigger to fire for reactions across all accessible channels. In an API-gateway skill that connects to external services, this broad scope can unintentionally expose far more workspace activity to downstream automations than necessary, increasing the blast radius of mistakes or abuse.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The reference includes realistic webhook payloads containing customer identifiers, email addresses, invoice URLs, receipt URLs, card last4, fingerprint, and transaction metadata without any warning about sensitive-data handling. In an API-gateway skill that encourages downstream integrations with external services, users may copy these examples into logs, prompts, tickets, or other systems, increasing the risk of unintended disclosure of payment and customer data.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The schema exposes a destructive action with only a generic description, and it provides no constraints about which calendar, ownership checks, confirmation requirements, or when deletion is appropriate. In an agent setting, this broadness increases the chance of accidental or unauthorized deletion because the model has little policy guidance beyond supplying an eventId.

Ssd 3

Medium
Confidence
95% confidence
Finding
This example forwards Gmail event content (`payload.snippet`) into a Slack message through a remote destination, creating a built-in cross-system data exfiltration pattern. Because email content may contain sensitive or regulated data, templated forwarding to another service can leak confidential information to the wrong workspace, channel, or downstream logs with minimal operator awareness.

Ssd 3

Medium
Confidence
94% confidence
Finding
The local automation example reads email event data and reposts `event['snippet']` into Slack, normalizing disclosure of mailbox content into another platform. In agent workflows, that creates a strong pattern for unauthorized cross-tenant or cross-context disclosure, especially if the Slack channel membership differs from the email audience.

External Transmission

Medium
Category
Data Exfiltration
Content
import json, os, urllib.request
event = json.loads(os.environ["EVENT_JSON"])
data = json.dumps({"channel": "C0123456789", "text": f"New email: {event['snippet']}"}).encode()
req = urllib.request.Request("https://api.maton.ai/slack/api/chat.postMessage", data=data, method="POST")
req.add_header("Authorization", f"Bearer {os.environ['MATON_API_KEY']}")
req.add_header("Content-Type", "application/json")
urllib.request.urlopen(req)
Confidence
90% confidence
Finding
https://api.maton.ai/

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.