Jeftest

Security checks across malware telemetry and agentic risk

Overview

Review recommended because this skill is a very broad API gateway with powerful account actions and inconsistent disclosure about OAuth versus API-key or bot-token access.

Install only if you trust Maton and are comfortable giving an agent broad, live access to connected services. Treat MATON_API_KEY as sensitive, connect only least-privilege accounts, specify exact connections where possible, and require explicit confirmation before any send, post, delete, admin, billing, public-link, webhook, crawl, or document-processing action.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (109)

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The README states that Baserow uses API_KEY authentication (database tokens), which conflicts with the skill's stated security model of managed OAuth connections. This discrepancy can cause the agent or downstream integrators to handle credentials outside the intended authorization flow, increasing the risk of secret misuse, overbroad access assumptions, or unsafe connection patterns.

Intent-Code Divergence

Medium

Confidence: 88% confidence
Finding: The README states 'Uses API key authentication,' which conflicts with the skill metadata claiming third-party access requires explicit user OAuth authorization through Maton. In a connector skill, contradictory auth documentation can mislead downstream agents or users into assuming a bearer key alone is sufficient, increasing the risk of credential misuse, insecure integration patterns, or bypass attempts against expected user-consent flows.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The file documents a direct Exa-specific integration with gateway-managed authentication, which materially conflicts with the manifest's broader representation that access to external services always depends on user-authorized OAuth connections. This kind of capability-description mismatch can mislead users and downstream reviewers about what services are reachable and under what trust model, increasing the chance of unintended data disclosure or unauthorized use of a built-in provider credential.

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: The README says authentication is automatic because the gateway injects the API key, directly contradicting the manifest's claim that every service requires explicit user OAuth authorization. In this skill context, that is especially dangerous because users may believe no external service can be called unless they have individually connected it, while Exa requests could still be sent through a platform-held credential without additional user authorization.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The reference states that fal.ai uses API key authentication rather than the skill's documented OAuth-scoped third-party access model. This mismatch can mislead downstream agents or users about the trust boundary, authorization flow, and what credentials are sufficient to access external services, increasing the risk of unsafe integration behavior or improper secret handling.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The README documents capabilities for web scraping, crawling, browser automation, search, and agent execution that materially expand beyond the skill metadata's stated purpose of managed OAuth-based integration with user-authorized third-party services. This mismatch can mislead downstream reviewers and agents about the real operational scope, increasing the chance of unauthorized internet interaction, data collection, or use of capabilities the user did not reasonably expect.

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: The top-level skill security description claims third-party access requires explicit user OAuth authorization, but this reference states Firecrawl uses API key authentication. That discrepancy is security-relevant because API-key-backed access may allow external actions without per-service user consent, undermining user expectations, review assumptions, and authorization boundaries.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The reference exposes broad tenant-administration capabilities such as creating users, deleting users/groups, assigning roles, and making users admins, while the skill metadata describes the capability only generically as interacting with external services. That mismatch can cause users or downstream agents to underestimate that this skill can perform privileged administrative changes against Google Workspace once an OAuth connection exists.

Description-Behavior Mismatch

Medium

Confidence: 84% confidence
Finding: The reference exposes broad Grafana capabilities including read, create, update, and delete operations over dashboards, folders, data sources, annotations, teams, alerting, plugins, and service-account-related resources, while the skill description only generically says it can 'interact with external services.' That mismatch can cause users and downstream agents to underestimate that this connector may perform administrative configuration changes and destructive actions on a user's Grafana instance.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The README states that authentication is automatic via an injected `APIKEY` header, which conflicts with the skill metadata claiming access is governed by explicit OAuth authorization per user connection. This mismatch can mislead downstream agents or users about the actual trust boundary and credential model, increasing the risk of unauthorized assumptions, accidental overreach, or incorrect handling of sensitive operations.

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The README explicitly states that the Manus connection uses API_KEY authentication, which conflicts with the skill metadata's claim that services require explicit user OAuth authorization through Maton's connect flow. This mismatch can mislead downstream agents or users into assuming stronger consent and scoping guarantees than actually exist, increasing the risk of unauthorized access patterns or overtrust in the integration's security model.

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The reference explicitly states that the Reducto connection uses API key authentication, which contradicts the skill metadata claiming third-party services require explicit user OAuth authorization. This mismatch can mislead users and downstream agents about the trust boundary and authorization model, causing data to be sent to an external service under weaker or different controls than advertised.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The documented integration behavior says this service uses an API-key-based connection and direct document-processing endpoints, while the skill metadata frames external service access as strictly user-authorized via Maton's OAuth connect flow. That inconsistency is security-relevant because it can cause operators or users to incorrectly assume all outbound access is user-scoped and explicitly consented when this integration may operate under a platform-held credential instead.

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: The skill metadata says third-party access is managed through user-scoped OAuth, but this reference exposes direct API key lifecycle operations for Resend. Documenting creation and deletion of provider API keys introduces a parallel credential path that can bypass the stated OAuth-only trust model and expand access beyond the user's intended session or scopes.

Intent-Code Divergence

High

Confidence: 95% confidence
Finding: The skill metadata states that third-party access requires explicit OAuth authorization, but this Telegram reference shows access routed via a bot token placeholder automatically injected from connection configuration. That mismatch can mislead users and reviewers about the actual authentication model, causing them to underestimate the privilege and reach of a stored Telegram bot token, which can enable message access, posting, deletion, forwarding, and webhook control without OAuth-style per-user consent.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The documentation prominently includes state-changing examples such as posting Slack messages, creating HubSpot contacts, creating connections, and deleting connections without strong warnings or confirmation requirements. In an agent setting, this normalizes write/delete operations and increases the risk of unintended modification of third-party data or accounts.

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The reference exposes write-capable operations such as contact creation, contact updates, account creation, and adding contacts to sequences without any warning that these actions modify remote systems. In an agent context, lack of explicit cautions or confirmation guidance increases the risk of unintended CRM changes or accidental outreach being triggered through natural-language requests.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: Person enrichment, contact lookup, and email/message search endpoints can process personal data, yet the reference provides no privacy, consent, or data-handling warning. In an agent-integrated environment, this can normalize sensitive-personal-data queries without prompting users to consider authorization, lawful basis, minimization, or downstream exposure of enriched contact information.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The README documents destructive delete operations without any warning, confirmation guidance, or safety constraints. In an agent skill context, this can lead an LLM or integrator to invoke irreversible actions directly from natural-language prompts, increasing the risk of accidental or prompt-induced data loss.

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The README documents destructive delete operations, including recursive folder deletion, without any caution about permanence, confirmation, or scope validation. In an agent/tooling context, this increases the chance that an LLM or downstream integrator invokes high-impact actions on user-authorized Box data without adequate user awareness.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The documentation shows how to create a shared link with access set to "open" but provides no privacy or data-exposure warning. In a skill designed to act on third-party services, normalizing public-link creation without caution can lead to accidental external disclosure of files or folders.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The reference explicitly documents destructive and outbound-action capabilities, including contact deletion and email sending, without any warning about irreversible effects, consent requirements, or confirmation expectations. In an agent skill context that exposes external-service actions, this omission can increase the chance that downstream agents or users invoke high-impact operations without adequate safeguards.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The README documents mutations that can create or schedule social-media posts but provides no warning that these operations have external side effects and may publish content to user-linked accounts. In an agent skill context, missing side-effect warnings increase the chance an automated system triggers posting actions without clear confirmation, leading to reputational damage, accidental publication, or abuse of connected social accounts.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The README documents multiple state-changing and destructive operations such as create, update, archive, cancel, and delete without any cautions, confirmation guidance, or least-privilege notes. In an agent skill context, this can normalize unsafe execution of high-impact actions and increase the chance an LLM or user triggers irreversible changes against a connected third-party account.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The README exposes messaging, contact-management, and deletion capabilities without any guidance about user consent, privacy implications, billing impact, or confirmation requirements for destructive actions. In an agent skill context, documentation often shapes how tools are invoked; omitting safety caveats makes it more likely an agent or integrator will send messages or delete data without explicit user awareness.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal