ClawHub

Api Gateway 1.0.7

v1.0.0

API gateway for calling third-party APIs with managed auth. Use this skill when users want to interact with external services like Slack, HubSpot, Salesforce...

0· 462·2 current·2 all-time
by@makforce
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill is an API gateway/proxy for many third‑party services and the SKILL.md and reference files consistently describe proxy routing for many common APIs — this aligns with the name/description. However, registry metadata reported 'Required env vars: none' and 'Primary credential: none' while SKILL.md explicitly requires a MATON_API_KEY; that mismatch is unexpected and unexplained.
Instruction Scope
The runtime instructions are narrowly scoped to calling gateway.maton.ai and control endpoints (ctrl.maton.ai/connect.maton.ai) using the MATON_API_KEY and optional Maton-Connection header. The instructions do not direct the agent to read arbitrary local files, other environment variables, or system configuration beyond the single API key.
Install Mechanism
This is instruction-only (no install spec, no code files executed at install). That is the lowest install risk: nothing is downloaded or written to disk during install according to the package data.
!
Credentials
The gateway needs a single API key (MATON_API_KEY) which is proportionate to a proxy service; however the registry listing did not declare any required env vars or primary credential while the SKILL.md makes MATON_API_KEY mandatory. That inconsistency is a red flag. Also note that using this skill routes OAuth tokens and API calls through a third party (maton.ai), which means sensitive API requests and tokens will transit Maton's infrastructure — you should only use a gateway you trust and ideally issue a limited-scope/least-privilege key.
Persistence & Privilege
The skill does not request always:true and does not install persistent components. It is user-invocable and allows autonomous invocation (platform default), which is normal for skills.
What to consider before installing
This skill appears to be what it says — a proxy that injects OAuth tokens for many third‑party APIs — but there are two things to verify before using it: (1) the package metadata and SKILL.md disagree about required credentials: SKILL.md requires MATON_API_KEY but the registry metadata listed no required env vars. Ask the publisher to correct/confirm the declared requirements. (2) The owner metadata in _meta.json appears different from the registry owner id and the skill has no homepage or source URL; confirm the publisher identity (maton.ai) and that you trust them to proxy your API calls and tokens. If you proceed, use a least-privilege Maton API key (scoped and revocable), avoid sending highly sensitive secrets through the gateway, and test with non‑production data first. If the publisher can provide an authoritative homepage, source repo, and updated registry metadata that declares MATON_API_KEY explicitly and explains the owner id discrepancy, that would increase confidence and could change this assessment to benign.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fq4j66ayv4p1c13xvef6t9d81msdj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments