Jobber
ReviewAudited by ClawScan on May 1, 2026.
Overview
This appears to be a coherent Jobber integration, but it requires a Maton API key and can access or change Jobber business records through Maton.
Install this only if you intend to let the agent work with your Jobber business data through Maton. Keep MATON_API_KEY secret, specify the intended Maton connection when multiple accounts exist, approve each write operation only after reviewing its impact, and delete or revoke OAuth connections when no longer needed.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may be able to create, update, or delete important Jobber business records if the user approves those actions.
The skill uses a raw GraphQL interface that can support broad read and mutation operations. This is central to the stated Jobber integration, but users should carefully review any generated mutation.
Jobber uses a **GraphQL API** exclusively. All requests are POST requests to the `/graphql` endpoint with a JSON body containing the `query` field.
Confirm the exact resource, account, and intended effect before approving any create, update, or delete request.
Anyone or any agent process with access to the Maton API key may be able to use the connected Jobber account within the granted permissions.
The skill requires a sensitive Maton API key and uses delegated OAuth to act on a connected Jobber account. This is expected for the integration, but it is privileged access.
All requests require the Maton API key in the Authorization header: `Authorization: Bearer $MATON_API_KEY` ... Maton automatically injects your OAuth token
Store the MATON_API_KEY securely, avoid sharing it, use least-privilege Jobber/OAuth access where possible, and rotate or revoke access if it may be exposed.
Customer, job, invoice, quote, property, and team-member data may transit through Maton's service as part of normal operation.
Jobber API requests and responses pass through the Maton gateway. This provider-mediated flow is disclosed and purpose-aligned, but it means Maton is part of the trust boundary for Jobber data and OAuth access.
Maton proxies requests to `api.getjobber.com/api/graphql` and automatically injects your OAuth token and API version header.
Use this skill only if you trust Maton to proxy Jobber data and manage OAuth tokens, and review Maton's connection settings if multiple Jobber accounts are connected.