Square
Security checks across malware telemetry and agentic risk
Overview
This appears to be a coherent Square API/OAuth gateway skill, but it can access and change Square business or financial data through Maton, so install it only if you intend that.
Use this only for intended Square administration. Set MATON_API_KEY securely, connect the least-privileged Square account, always verify the Maton connection ID, start with read-only calls, and require a clear confirmation step before any payment, billing, customer, catalog, order, or delete operation.
VirusTotal
64/64 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used for writes, the agent could change Square resources or perform financial/business actions through the connected account.
The skill exposes Square API operations that can modify business data, but it also gives explicit approval and verification requirements.
This integration can mutate Square data — approve only specific write actions after checking the exact endpoint, account, resource ID, and consequence.
Use read-only requests first, verify the Square account and resource IDs, and approve only specific write actions you understand.
The connected Square account and OAuth scopes determine what the agent can read or change.
The skill relies on delegated Square OAuth authority and a Maton API key to act on the user's Square account.
The gateway proxies requests to `connect.squareup.com` and automatically injects your OAuth token.
Connect the least-privileged Square account and scopes available, verify the connection ID before requests, rotate a compromised Maton API key, and revoke unused OAuth connections.
Business data returned from Square may be processed via Maton's gateway rather than going directly from the agent to Square.
Square API requests are routed through the Maton gateway, so Square request and response data may pass through that third-party service.
https://api.maton.ai/squareup/{endpoint-path}Install only if you trust the Maton gateway for the Square data you will access, and avoid requesting more sensitive data than needed.