ClawHub

Api Gateway 1.0.71

v1.0.0

Connect to 100+ APIs (Google Workspace, Microsoft 365, GitHub, Notion, Slack, Airtable, HubSpot, etc.) with managed OAuth. Use this skill when users want to...

0· 70·2 current·2 all-time
by@gaopei123
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description (API gateway to many third‑party services) matches the declared runtime instructions and manifest: SKILL.md documents proxy endpoints (gateway.maton.ai and ctrl.maton.ai) and uses a single MATON_API_KEY environment variable to authenticate. Nothing in the files requests unrelated cloud credentials, binaries, or system paths.
Instruction Scope
SKILL.md contains concrete examples showing HTTP calls to Maton's gateway and control endpoints and explains connection creation via a browser OAuth flow. The instructions only reference the declared env var (MATON_API_KEY) and do not instruct reading unrelated files, other env vars, or system config. The documented behavior (Maton injects OAuth tokens for user-authorized connections) is scoped to the gateway purpose.
Install Mechanism
This is an instruction-only skill with no install spec and no code files to execute; nothing is written to disk or fetched at install time. That is the lowest-risk install model and is appropriate for a documentation-style gateway adapter.
Credentials
The skill only requires MATON_API_KEY, which is proportionate to a managed‑OAuth proxy. However, MATON_API_KEY is a sensitive secret: possession of it (by the agent or any code running in its environment) allows calls to Maton's APIs and therefore to any third‑party services already authorized under that Maton account. The SKILL.md states the key by itself doesn't grant access to third‑party services, but in practice the key enables API calls that the gateway will authenticate using stored OAuth tokens — treat it as powerful and audit what connections exist.
Persistence & Privilege
The skill does not request always: true, does not include install scripts, and does not modify other skills or system-wide config. It uses the platform default (agent may invoke it autonomously), which is expected for skills.
Assessment
This skill appears to be what it claims: a passthrough proxy to many services hosted by Maton (maton.ai). Before installing or setting MATON_API_KEY in your environment: 1) Verify maton.ai and the publisher are trustworthy; check their documentation and account settings. 2) Treat MATON_API_KEY as a secret — anyone with it can call Maton's gateway and act on any OAuth connections tied to that Maton account. 3) Audit your Maton account connections (https://ctrl.maton.ai/connections) and revoke any you don't want exposed. 4) Prefer a minimal Maton account or scoped key when possible; avoid putting the key into shared or public environments. 5) If you need stronger assurance, contact Maton support to confirm how keys and stored OAuth tokens are scoped and logged. Overall the skill is coherent, but the central third‑party proxy model means you must trust Maton with access to any services you connect through it.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bwy4g5de17x8d9g1jrzt3v983ktmc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🧠 Clawdis
EnvMATON_API_KEY

Comments