Tally
Security checks across malware telemetry and agentic risk
Overview
This is a coherent Tally integration through Maton OAuth, but it uses a Maton API key and can read or change Tally account resources, so users should approve changes carefully.
Install only if you intend to let the agent work with your Tally account through Maton. Keep the API key private, verify the intended Tally connection, and require clear confirmation before any form, workspace, webhook, or deletion change.
VirusTotal
65/65 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If approved, the agent could create, update, or delete Tally resources such as forms or webhooks, which may affect data collection or integrations.
The skill has Tally resource mutation authority, but the artifact also scopes it to the integration purpose and requires explicit approval for writes.
Manage forms, submissions, workspaces, and webhooks... All write operations require explicit user approval. Before executing any create, update, or delete call, confirm the target resource and intended effect with the user.
Confirm the exact resource, account, and intended effect before allowing any create, update, delete, or webhook change.
Anyone or any agent action using the key can access the connected Tally resources allowed by that Maton connection.
The skill relies on a Maton API key and delegated Tally OAuth access, giving the agent authority within the connected Tally account.
All requests require the Maton API key in the Authorization header... Authorization: Bearer $MATON_API_KEY... Maton proxies requests to `api.tally.so` and automatically injects your OAuth token.
Keep MATON_API_KEY private, use the least-privileged/relevant Tally connection, and revoke connections or rotate keys when no longer needed.
Users have less registry-level provenance to verify before trusting the skill with API credentials.
The registry metadata provides limited provenance for a credentialed API integration, although no code package or hidden installer is present.
Source: unknown; Homepage: none
Verify that the Maton URLs and account setup are expected before providing credentials or authorizing OAuth access.
Form submissions may contain personal or business data that will be processed through Maton as part of the integration.
Requests and potentially sensitive Tally submission data are routed through a third-party gateway, which is disclosed and purpose-aligned.
Use this skill when users want to create or manage Tally forms, retrieve form submissions... Maton proxies requests to `api.tally.so` and automatically injects your OAuth token.
Use this only for Tally accounts and submissions you are comfortable routing through Maton, and avoid requesting unnecessary submission data.