Gumroad
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: gumroad Version: 1.0.4 The 'gumroad' skill provides a standard integration for the Gumroad API via a managed OAuth proxy service (api.maton.ai). It requires a MATON_API_KEY environment variable and includes well-documented Python and JavaScript examples for managing products, sales, and licenses. The skill explicitly instructs the agent to seek user approval for write operations and contains no evidence of malicious execution, data exfiltration, or prompt injection.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used as intended, the agent may change, disable, or delete Gumroad resources only after the user confirms the exact action.
The skill exposes write/delete API operations for a Gumroad storefront, which can have business impact, but it also instructs the agent to obtain explicit user approval first.
**All write operations require explicit user approval.** Before executing any create, update, or delete call, confirm the target resource and intended effect with the user.
Before approving any write/delete call, verify the connected Gumroad account, target resource ID, request payload, and expected effect.
Someone with the MATON_API_KEY could potentially access Gumroad data and perform authorized actions through the Maton connection.
The Maton API key is the credential used to access the connected Gumroad account, so it should be treated as sensitive account authority.
All requests require the Maton API key in the Authorization header: Authorization: Bearer $MATON_API_KEY
Store the API key securely, avoid pasting it into shared chats or logs, and revoke or rotate it if exposed.
Gumroad account data and API requests may pass through Maton as part of the managed OAuth workflow.
The integration routes Gumroad API traffic through a third-party gateway that handles OAuth on the user's behalf; this is disclosed and central to the skill's purpose.
Maton proxies requests to `api.gumroad.com/v2` and automatically injects your OAuth token.
Review the Maton connection settings and only connect the Gumroad account you intend to manage; remove unused connections.