Keap
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the user approves the wrong action or wrong account connection, CRM records, orders, opportunities, or campaigns could be changed or deleted.
The skill exposes create, update, and delete actions for CRM resources, which can affect business records; the explicit approval requirement keeps this purpose-aligned rather than a concern.
**All write operations require explicit user approval.** Before executing any create, update, or delete call, confirm the target resource and intended effect with the user.
Before approving writes, verify the Keap account, connection ID, resource IDs, and exact intended change.
Exposure of the Maton API key could allow unauthorized use of connected Keap CRM access.
The Maton API key is required to use the connected Keap OAuth authorization, so possession of this key can enable access to the user's Keap data through Maton.
All requests require the Maton API key in the Authorization header: Authorization: Bearer $MATON_API_KEY
Store MATON_API_KEY securely, avoid sharing logs that contain it, rotate it if exposed, and revoke unused Maton/Keap connections.
CRM data handled by the skill is routed through Maton's service before reaching Keap.
The artifact clearly discloses a third-party gateway/proxy in the data path, meaning CRM requests and responses pass through Maton as part of the integration.
Maton proxies requests to `api.infusionsoft.com/crm/rest` and automatically injects your OAuth token.
Use this only if you trust Maton's handling of CRM data, and request only the fields and records needed for the task.
Users have less independent registry metadata for verifying the skill's maintainer or support channel before providing credentials.
The registry metadata does not provide a source repository or homepage, which is a provenance gap for a credentialed third-party integration, though no executable code is included.
Source: unknown; Homepage: none
Confirm the Maton domain and provider relationship before setting MATON_API_KEY or authorizing Keap OAuth.