Box
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
After authorization, the agent may be able to access or change files, folders, collaborations, and shared links in the connected Box account.
The skill relies on delegated OAuth access to a user's Box account. This is expected for the purpose, but it means the agent can act within the authorized Box connection.
Box access requires explicit OAuth authorization by the user through Maton's connect flow. Access is strictly scoped to connections the user has authorized.
Authorize only the intended Box account, keep MATON_API_KEY private, and revoke unused Maton/Box connections.
Mistaken or overly broad prompts could cause unintended Box file changes or sharing actions.
The skill exposes broad Box management actions, including sharing and file organization. This is aligned with the stated purpose but can affect important cloud data.
Access the Box API with managed OAuth authentication. Manage files, folders, collaborations, shared links, and cloud storage.
Use precise file, folder, and collaboration targets, and require explicit confirmation before destructive or public-sharing operations.
File metadata, file contents involved in uploads/downloads, and Box API actions may pass through the Maton service path.
Box API requests, including upload/download-related traffic, go through Maton's gateway, which is expected for managed OAuth but relevant for sensitive file data.
The gateway proxies requests to `api.box.com/2.0` ... or `upload.box.com/api/2.0` ... and automatically injects your OAuth token.
Use this only if comfortable with Maton's managed OAuth gateway handling the relevant Box API traffic.
An action could be performed against the wrong Box connection if the user has multiple active connections.
When multiple Box connections exist, omitting the connection header can select an account by default rather than by explicit user choice.
If omitted, the gateway uses the default (oldest) active connection.
Specify the `Maton-Connection` header whenever multiple Box accounts or workspaces are connected.