Google Merchant Center
PassAudited by ClawScan on May 1, 2026.
Overview
This is a clearly disclosed Google Merchant Center integration, but it uses a sensitive Maton/OAuth credential and can make high-impact account changes when approved.
Install this only if you need Google Merchant Center automation through Maton. Keep MATON_API_KEY secret, verify account and resource IDs before approving changes, avoid approving broad deletes or account-setting changes unless you fully understand them, and revoke the OAuth connection when finished.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Incorrect or unintended actions could change product listings, promotions, inventory, or account settings in Google Merchant Center.
The skill can perform high-impact Merchant Center write and delete actions, although this is disclosed and aligned with its purpose.
This is a write-capable integration — it can read, create, update, and delete products, inventories, data sources, promotions, account settings, and conversions in Google Shopping.
Approve only specific write or delete actions after checking the account ID, resource ID, and exact change being requested.
Anyone with the MATON_API_KEY may be able to access the connected Merchant Center integration through Maton.
The skill requires a sensitive API key that authorizes access through Maton to the connected Google Merchant account.
All requests require the Maton API key in the Authorization header: Authorization: Bearer $MATON_API_KEY
Store the key only in a private environment variable, do not paste it into chats or shared files, use least-privilege Merchant Center access, and rotate or revoke it if exposed.
Merchant Center data and requests pass through Maton before reaching Google, so the user must trust that service with this integration path.
Merchant Center requests and responses are routed through a third-party API gateway, and Maton manages OAuth token injection.
Maton proxies requests to merchantapi.googleapis.com and automatically injects your OAuth token.
Use this only if you trust Maton for managed OAuth access, and revoke the Maton connection when it is no longer needed.