ClawHub

Api Gateway 1.0.64

Security checks across malware telemetry and agentic risk

Overview

This skill is a real API gateway for many services, but it exposes broad write, delete, admin, billing, and webhook actions without enough built-in scoping or confirmation guidance.

Install only if you trust Maton with brokered access to the connected services and you are comfortable giving agents raw API-level power. Use least-privilege connections, specify the exact connection ID, require explicit confirmation before write/delete/admin/webhook actions, and avoid using it for production finance, ads, identity, DNS, or legal systems without additional review controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (90)

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The README states that Baserow uses API key authentication rather than the skill's advertised managed OAuth model. That mismatch is security-relevant because consumers of the skill may assume user-scoped delegated access, while database tokens can be long-lived and broader than expected, increasing the chance of improper secret handling or over-trusting the integration.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The reference exposes highly privileged Google Workspace admin capabilities such as user creation, role assignment, suspension, and admin elevation, while the skill manifest only generically says it can 'interact with external services.' That mismatch can cause users or downstream agents to underestimate the sensitivity of the tool and invoke tenant-wide administrative actions without appropriate caution.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The skill is positioned as a generic passthrough for interacting with 100+ external services and explicitly says to use it whenever users want to interact with external services. That broad invocation guidance increases the chance an agent will select this skill for loosely related requests and perform networked actions against third-party APIs without sufficiently narrow user confirmation or app-specific safety checks.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The examples prominently demonstrate mutating operations such as posting Slack messages and creating HubSpot contacts, but the documentation does not place a strong warning near those examples about external side effects, data disclosure, or the need for explicit user approval. In an agent setting, such examples can normalize making real outbound changes to user-connected SaaS systems.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The README documents create and update operations for contacts and accounts but does not warn that these actions modify remote Apollo data. In an agent skill context, that omission can cause an LLM or user to treat these examples as low-risk reference calls and unintentionally perform state-changing actions against a connected third-party system.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The README describes person enrichment by email or LinkedIn URL and related email lookups without noting that personal identifiers are sent to Apollo, potentially consuming credits and disclosing personal data to an external service. In this skill's API-gateway context, the omission is more significant because the skill is specifically designed to route user data to third-party APIs, so privacy-sensitive operations should be clearly flagged.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation includes a destructive delete-task operation without any caution about confirmation, authorization scope, or irreversible effects. In an agent skill that enables real API actions against user-authorized third-party services, this increases the risk that an agent or user invokes deletion without understanding the consequence.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The webhook example instructs users to send Asana project/task events to an arbitrary external URL without warning that potentially sensitive metadata and workflow activity will be transmitted off-platform. In this skill context, that is materially risky because the gateway connects to real customer SaaS data and could facilitate unintended exfiltration to attacker-controlled endpoints.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README includes a destructive Basecamp endpoint example for trashing a recording without any warning, confirmation guidance, or indication that the action is irreversible or operationally sensitive. In an agent skill that helps users interact with external SaaS APIs, this increases the chance that an agent or user will invoke a deletion-like action casually, causing unintended data loss in an authorized third-party account.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The documentation includes creation of webhook subscriptions to arbitrary URLs without any warning that Calendly event and invitee data will be transmitted to an external destination. In an API-gateway skill that brokers access to third-party services, this omission increases the risk that an agent or user configures data exfiltration or unintended outbound sharing without understanding the privacy and security consequences.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README documents irreversible DELETE operations for legal-practice objects without any caution, confirmation guidance, or mention of recovery limitations. In an agent skill that can act on external services, this increases the risk that an LLM or user will invoke destructive actions on the wrong resource, causing data loss in a sensitive legal workflow.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The README documents destructive and user-visible operations like entry deletion and form-availability changes without any caution about confirmation, authorization boundaries, or user impact. In an agent/tooling context, this increases the chance an LLM or integrator will invoke these actions without explicit user consent, causing data loss or service disruption.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation explicitly includes create, update, and delete operations for Confluence content but does not warn that these actions are state-changing and can modify or permanently remove user data. In an agent skill that routes to external APIs, this increases the chance an agent or user invokes destructive operations without clear acknowledgement, especially because the skill is designed for broad third-party service interaction.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The reference documents multiple state-changing and destructive Eventbrite operations, including publish, cancel, create, update, and delete, but provides no warning that these actions can irreversibly modify live events and ticketing data. In an agent skill context, such examples can normalize unsafe execution and make it easier for an LLM-driven agent to perform high-impact actions without explicit user confirmation.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README includes concrete mutate examples that create campaigns and enable campaign status, but it does not clearly warn that these are write operations affecting live advertising resources and potentially spending money. In an agent skill, this increases the risk that an automated workflow or a user misunderstanding could trigger real changes in a connected Google Ads account.

Missing User Warnings

Low
Confidence
78% confidence
Finding
Saying authentication is automatic and that the router injects OAuth and developer-token headers can normalize silent credential use without explaining that calls execute against user-authorized Google Ads accounts. While the platform metadata notes scoped OAuth, the README itself lacks a user-facing reminder about access boundaries and the sensitivity of operations performed with those credentials.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation exposes a destructive dataset deletion endpoint without any warning about irreversible data loss, safety checks, or confirmation requirements. In an agent skill context, this increases the chance an LLM or user will invoke the operation casually or with mis-specified parameters, causing deletion of entire datasets.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The table deletion example documents a destructive action without warning that data may be permanently lost. In an API-gateway skill used by agents, omission of such guardrails makes accidental deletion more likely when parameters are generated dynamically.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The example uses WRITE_TRUNCATE without explaining that it overwrites the destination table contents. This is dangerous because users or agents may copy the example directly and unintentionally destroy existing data in the target table.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation explicitly enables reading, creating, updating, and deleting calendar events, including attendee email transmission, but does not warn about the privacy and integrity impact of acting on a user's calendar data. In an agent skill context, this omission increases the chance that downstream agents or users invoke destructive or privacy-sensitive actions without clear confirmation or awareness of consequences.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This reference documents multiple destructive or account-affecting actions such as deleting in-app products, canceling subscriptions, replying to reviews, and committing or deleting edits without any cautionary guidance, confirmation requirements, or scoping notes near those operations. In an agent-integrated API gateway context, this increases the risk that an LLM or user triggers high-impact state-changing actions unintentionally against a production Google Play account.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The document lists destructive operations like deleting users, groups, members, and org units without any warning, approval guidance, or mention of reversibility/impact. In an agent context, cookbook-style destructive examples can normalize unsafe execution and increase the chance of accidental or socially engineered tenant damage.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
Stating that authentication is automatic and the router injects the OAuth token normalizes authenticated outbound access without reminding operators to obtain clear user intent before calling third-party APIs. In an agent skill context, this increases the risk of unintended data access or modification because the model may treat remote authenticated actions as routine and low-friction.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The webhook creation example sends form events and potentially sensitive submission data to an arbitrary external URL, yet the documentation provides no warning about data egress, privacy implications, or destination trust requirements. In an agent skill that can interact with external services, this omission increases the risk of users or downstream agents configuring exfiltration paths without understanding the sensitivity of the transmitted data.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The reference documentation includes state-changing and outbound-capable operations such as creating, updating, deleting contacts, applying tags, enrolling contacts in campaigns, and sending email, but it does not warn that these actions can modify customer data or trigger external communications. In an agent skill context, this omission increases the chance that an agent or user invokes impactful operations without clear confirmation or awareness of side effects.

VirusTotal

56/56 vendors flagged this skill as clean.

View on VirusTotal