Clio
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a coherent Clio integration, but it can access and change sensitive legal-practice data through a Maton API key and OAuth connection.
Install only if you trust Maton and are comfortable granting OAuth-backed access to your Clio account. Use the least-privileged Clio scopes/account access available, keep the MATON_API_KEY private, start with read-only queries, and approve writes or deletes only when the agent shows the exact record identifiers and consequences.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If approved, the agent could create, change, or delete sensitive matters, contacts, documents, billing records, and related practice-management data.
The skill intentionally exposes high-impact write and delete operations for legal-practice data. This is purpose-aligned for a Clio integration and the artifact requires explicit user approval, but users should understand the operational risk.
it can read, create, update, and delete legal practice data including matters, contacts, activities, tasks, documents, calendar entries, time entries, and billing
Default to read-only use, verify resource names and IDs, and only approve write/delete requests after confirming the exact effect and reversibility.
Anyone or any process with the key may be able to act through the connected Clio permissions exposed by the Maton gateway.
The MATON_API_KEY is the credential used to access the managed OAuth gateway for the connected Clio account. This is expected for the integration, but it is sensitive delegated authority.
All requests require the Maton API key in the Authorization header: Authorization: Bearer $MATON_API_KEY
Store the API key securely, use the narrowest Clio/OAuth permissions available, rotate the key if exposed, and revoke unused Maton/Clio connections.
Matter, client, document, billing, and calendar data may transit through Maton while using the integration.
Clio requests and responses pass through the third-party Maton gateway, which manages OAuth token injection. This data flow is disclosed and purpose-aligned, but it involves sensitive legal data crossing a provider boundary.
The gateway proxies requests to `app.clio.com` and automatically injects your OAuth token.
Only install if you trust Maton for this data, confirm it meets your firm’s confidentiality/compliance requirements, and use the `Maton-Connection` header when multiple Clio connections exist.