Back to skill

Security audit

ClickFunnels

Security checks across malware telemetry and agentic risk

Overview

This is a transparent ClickFunnels API helper, but it can access and change sensitive business data, so users should approve actions carefully.

Install only if you intend to let an agent use your ClickFunnels account through Maton. Keep MATON_API_KEY, OAuth connection URLs, and webhook secrets private, and require the agent to show the exact workspace, account, resource, and intended change before any write, delete, GDPR redaction, fulfillment, enrollment, order, image, or webhook action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The documentation exposes capabilities for teams, workspaces, fulfillments, enrollments, and images that are broader than the stated resource scope. This can mislead downstream agents or users about what the skill is permitted to access and increases the chance of overbroad invocation or unintended data operations.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The security guidance claims access is scoped only to contacts, products, orders, courses, forms, and webhooks, but the file documents additional domains such as teams, workspaces, fulfillments, enrollments, and images. This mismatch creates a false sense of least privilege and can cause users or agents to underestimate the data and action scope of the skill.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The skill describes read access to contacts, orders, form submissions, and webhooks without warning that these operations may expose personal data, transactional details, or secrets such as webhook material. In an agent setting, missing read-side privacy guidance can lead to oversharing sensitive records to users or logs.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.