Motion
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: motion Version: 1.0.1 The 'motion' skill provides a standard integration for the Motion API via a managed OAuth proxy service (maton.ai). The SKILL.md file contains legitimate API documentation, Python/JavaScript examples for CRUD operations on tasks and projects, and explicitly instructs the agent to seek user approval for write operations. No evidence of data exfiltration, malicious execution, or obfuscation was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may be able to change or delete Motion tasks, projects, comments, or scheduling data when the user asks it to.
The skill exposes create, read, update, and delete capabilities for Motion resources; this is expected for a Motion management skill but can affect user data if used incorrectly.
Manage tasks, projects, workspaces, comments, and recurring tasks with full CRUD operations.
Review requested changes before approval, especially deletes, bulk edits, workspace-level changes, or actions affecting other assignees.
Anyone with the API key may be able to access the connected Motion integration according to the key’s permissions.
The skill requires a sensitive Maton API key that delegates access to the user’s connected Motion account.
All requests require the Maton API key in the Authorization header: Authorization: Bearer $MATON_API_KEY
Store the MATON_API_KEY securely, do not paste it into chats or logs, rotate it if exposed, and use the intended Motion connection when multiple accounts are linked.
Motion task, project, workspace, and scheduling data may pass through Maton as part of normal operation.
Motion API requests and responses flow through the Maton gateway, which is disclosed and purpose-aligned but means task and account data transit a third-party service.
Maton proxies requests to `api.usemotion.com` and automatically injects your OAuth token.
Use this skill only if you trust Maton to handle Motion OAuth and API data, and disconnect unused OAuth connections when no longer needed.