Apollo
Security checks across malware telemetry and agentic risk
Overview
The artifacts describe a coherent Apollo.io integration, but it relies on a Maton API key/OAuth connection and can access or modify Apollo sales data with user approval.
Use this skill only if you trust Maton and the connected Apollo account scope. Keep MATON_API_KEY and OAuth connection URLs private, specify the intended Maton connection when you have multiple accounts, and review every create, update, or delete action before approving it.
VirusTotal
46/46 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any agent using the key and connection can access Apollo data allowed by that connection.
The skill requires a bearer API key and delegated access to an Apollo account. This is expected for the integration, but it is sensitive account authority.
All requests require the Maton API key in the Authorization header ... Access is scoped to contacts, accounts, opportunities, sequences, and email data within the connected Apollo account.
Use a key and Apollo connection with the minimum necessary access, keep MATON_API_KEY private, and revoke unused connections.
Mistaken approvals or ambiguous requests could create, update, or delete sales records or connection state.
The skill can perform write operations against Apollo resources. The artifact includes an approval requirement, making the behavior purpose-aligned but still important for users to notice.
**All write operations require explicit user approval.** Before executing any create, update, or delete call, confirm the target resource and intended effect with the user.
Approve write/delete actions only after reviewing the exact resource, account connection, and intended change.
Prospecting, contact, account, and email-related data may be processed by Maton while using the skill.
The integration uses Maton as a gateway between the agent and Apollo, so credentialed requests and Apollo response data pass through a third-party provider.
Maton proxies requests to `api.apollo.io` and automatically injects your API key.
Use the skill only if you trust Maton with the relevant Apollo data, and avoid sending more sensitive data than necessary.
Users have less publisher/provenance context to verify before trusting the integration with credentials.
The registry metadata does not provide a source repository or homepage. There is no local code install, so this is a provenance note rather than evidence of unsafe behavior.
Source: unknown; Homepage: none
Confirm that the Maton domains and publisher are expected before setting or using the MATON_API_KEY.