Back to skill
Skillv1.0.1
ClawScan security
Microsoft SharePoint · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 5, 2026, 9:52 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- Instruction-only SharePoint integration that consistently proxies Microsoft Graph through Maton and requires a single MATON_API_KEY; functionally coherent but it routes your SharePoint data and OAuth flows through a third-party (Maton), so trust and data governance matter.
- Guidance
- This skill is internally consistent, but it routes all Microsoft Graph and OAuth traffic through a third party (maton.ai). Before installing: confirm your organization is comfortable with SharePoint data and OAuth tokens passing through Maton; verify the Maton service and domains (gateway.maton.ai, ctrl.maton.ai, connect.maton.ai) are legitimate and use HTTPS; restrict the MATON_API_KEY scope if possible, store and rotate the key securely, and test with a non-production account first. If policy forbids third-party proxies for sensitive content, do not use this skill.
Review Dimensions
- Purpose & Capability
- okThe skill name/description (SharePoint via Microsoft Graph) matches the runtime instructions: all example calls target Maton gateway URLs that proxy graph.microsoft.com. Requiring MATON_API_KEY is coherent with a managed-proxy design.
- Instruction Scope
- okSKILL.md only instructs network calls to maton.ai endpoints and shows using the MATON_API_KEY. It does not instruct reading local files, unrelated env vars, or writing to disk. The instructions do rely on a third‑party proxy (ctrl.maton.ai / gateway.maton.ai / connect.maton.ai) to handle OAuth, which is expected by this design.
- Install Mechanism
- okNo install spec and no code files beyond the SKILL.md and LICENSE. This is low-risk (nothing written to disk by the skill itself).
- Credentials
- noteOnly a single env var (MATON_API_KEY) is required, which is proportionate to a proxy-based API client. However that API key appears to be a powerful credential granting access to proxied SharePoint resources and OAuth flows—treat it as highly sensitive and ensure least-privilege and rotation.
- Persistence & Privilege
- okThe skill is not always-enabled and does not request elevated system persistence or modify other skills. Autonomous invocation is allowed (platform default) but not combined with other privilege escalations here.