Back to skill
Skillv1.0.0
ClawScan security
Buffer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 12, 2026, 1:51 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent: it proxies Buffer GraphQL calls through Maton (gateway.maton.ai) and only requests a single Maton API key which matches its stated purpose.
- Guidance
- This skill uses Maton (gateway.maton.ai) as a managed proxy to Buffer. Before installing: verify maton.ai's trustworthiness and privacy policy; treat MATON_API_KEY like a credential that grants Maton access to your social accounts and content; prefer creating a limited-scope test account or API key first; avoid using a high-privilege key from a production Buffer account until you're comfortable; rotate and revoke the key if you stop using the skill.
Review Dimensions
- Purpose & Capability
- okThe name/description (Buffer integration, scheduling posts) align with the runtime instructions. The only required credential is MATON_API_KEY and the SKILL.md shows calls to Maton endpoints (gateway.maton.ai, ctrl.maton.ai) which fits a managed-auth proxy design rather than requiring unrelated services or binaries.
- Instruction Scope
- okSKILL.md is instruction-only and the examples perform POSTs to Maton endpoints using the MATON_API_KEY. There are no instructions to read local files, shell history, or other environment variables, nor to send data to unexpected endpoints. Note: all post content and account data will be routed through Maton.
- Install Mechanism
- okNo install spec or code is provided (instruction-only), so nothing is written to disk or downloaded as part of installation. This is the lowest-risk install profile.
- Credentials
- noteOnly MATON_API_KEY is required, which is proportionate for a gateway/proxy model. However, because requests are routed through Maton, that API key grants Maton access to your Buffer-related accounts and data; this is expected but worth explicit consideration before sharing the key.
- Persistence & Privilege
- okThe skill is not always:true and is user-invocable; it does not request elevated or persistent platform privileges and does not modify other skills or system-wide settings.