Gumroad
PassAudited by ClawScan on May 1, 2026.
Overview
This skill is a disclosed Gumroad integration through Maton that can access and modify storefront data, but the artifacts show the sensitive behavior is purpose-aligned and calls for user approval before writes.
Install only if you trust Maton to proxy Gumroad requests and you are comfortable giving the skill access to storefront data. Keep MATON_API_KEY private, use the Maton-Connection header when multiple accounts exist, and carefully confirm any create, update, disable, delete, or webhook action before allowing it.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used as intended, the agent may change, disable, or delete Gumroad resources only after the user confirms the exact action.
The skill exposes write/delete API operations for a Gumroad storefront, which can have business impact, but it also instructs the agent to obtain explicit user approval first.
**All write operations require explicit user approval.** Before executing any create, update, or delete call, confirm the target resource and intended effect with the user.
Before approving any write/delete call, verify the connected Gumroad account, target resource ID, request payload, and expected effect.
Someone with the MATON_API_KEY could potentially access Gumroad data and perform authorized actions through the Maton connection.
The Maton API key is the credential used to access the connected Gumroad account, so it should be treated as sensitive account authority.
All requests require the Maton API key in the Authorization header: Authorization: Bearer $MATON_API_KEY
Store the API key securely, avoid pasting it into shared chats or logs, and revoke or rotate it if exposed.
Gumroad account data and API requests may pass through Maton as part of the managed OAuth workflow.
The integration routes Gumroad API traffic through a third-party gateway that handles OAuth on the user's behalf; this is disclosed and central to the skill's purpose.
Maton proxies requests to `api.gumroad.com/v2` and automatically injects your OAuth token.
Review the Maton connection settings and only connect the Gumroad account you intend to manage; remove unused connections.