Api Gateway 1.0.7

Security checks across malware telemetry and agentic risk

Overview

This skill is a legitimate API gateway, but it gives agents broad authenticated access to many sensitive services with weak safety guidance around writes, deletes, webhooks, and external sends.

Install only if you trust Maton with brokered access to the connected services and you are comfortable managing OAuth connections carefully. Use least-privilege accounts/scopes where possible, verify the selected connection and account before each call, and require explicit user confirmation before sending messages, changing ads or billing/business records, deleting data, sharing files, or creating webhooks.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (36)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The skill description is extremely broad and encourages use for interacting with many external services. In an agent environment, this can cause over-selection for generic requests and lead to unintended execution of actions against third-party APIs, including write or delete operations, without sufficiently narrow scope or guardrails.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The documentation prominently advertises direct passthrough access to third-party APIs but does not clearly warn users that prompts and parameters may transmit user data to external services and may perform creates, updates, or deletes. In a skill system, that omission materially increases the risk of unintended data disclosure or unauthorized state-changing actions.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The reference explicitly documents create, update, and delete operations against a live third-party service but does not warn that these actions mutate remote data or recommend confirmation before execution. In an agent skill context, this increases the chance an agent will treat destructive examples as routine and perform unintended writes or deletions on production Airtable bases.

Missing User Warnings

Medium

Confidence: 78% confidence
Finding: Documenting webhook creation without warning that events will be sent to an arbitrary external URL increases the risk of unintentional data exfiltration. In an API-gateway skill that facilitates third-party API access, this is more dangerous because an agent may treat webhook setup as routine configuration and forward organizational task or project data outside approved destinations.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The documentation shows creation of webhook subscriptions to arbitrary external URLs without warning that Calendly event data will be transmitted off-platform. In an agent context, this can enable unintended exfiltration of scheduling metadata to attacker-controlled endpoints if the user intent is not carefully validated.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The reference documents multiple state-changing and destructive ClickUp operations such as creating, updating, and deleting tasks, spaces, folders, lists, and webhooks, but provides no cautionary guidance, confirmation requirements, or usage constraints. In an agent skill that serves as an API gateway to third-party services, this increases the chance that an LLM or downstream caller will invoke destructive actions on behalf of a user without adequate validation or explicit consent.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The documentation includes concrete mutate examples that create campaigns and enable campaign status without any warning that these operations change live Google Ads resources and can affect ad delivery and spend. In an API-gateway skill with managed authentication, users may treat examples as safe defaults and unintentionally perform real production mutations against accessible accounts.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The note says authentication is automatic and headers are injected, but it does not warn that the injected credentials grant real access to whichever Google Ads accounts are available to that OAuth context. In this skill context, that omission increases the risk of over-trusting the router and sending unintended queries or mutations against live advertiser accounts.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The reference explicitly states that authentication is automatic and documents administrative create/update endpoints for Google Analytics without any safety guidance, confirmation requirements, or warning about configuration-changing side effects. In an agent skill, this can normalize or enable authenticated state-changing operations against third-party analytics assets, increasing the risk of unauthorized or accidental modifications if the agent invokes these routes based on ambiguous user prompts.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The document provides write, update, patch, and delete examples for calendar events without any user-facing caution that these operations modify or remove user data. In an agent skill context, omission of such warnings increases the chance an agent will perform destructive or privacy-impacting actions without confirmation, especially because calendar changes can notify attendees and disrupt real-world schedules.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The note that the router automatically injects the OAuth token lacks a privacy and authority warning, which can cause users or downstream agents to underestimate that requests execute with the user's authenticated access. In this skill, that means queries can read sensitive calendar contents and write operations can alter calendars under the user's identity with third-party API permissions.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The reference documents create and batchUpdate operations that can modify user Google Docs content, but it does not warn that these are state-changing actions or advise confirmation before execution. In an agent skill context, omission of mutation-risk guidance increases the chance that an agent will perform destructive or unintended edits to user data based on ambiguous prompts.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: Stating that OAuth authentication is injected automatically without any privacy, scope, or access warning can normalize silent use of powerful user credentials. In a gateway skill for third-party APIs, this makes accidental overreach more likely because operators or downstream agents may treat authenticated access as inherently safe rather than sensitive.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The reference explicitly documents destructive and sharing-capable Google Drive actions such as deleting files and creating permissions, but provides no warning, confirmation guidance, or safety constraints around user-impacting operations. In an agent skill context, this increases the chance an agent will treat these actions as routine and execute irreversible or privacy-affecting changes based on ambiguous or manipulated prompts.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: This reference documents endpoints that can create, modify, and delete Google Forms, but it does not warn that these operations affect real third-party data and may trigger destructive or unintended changes. In an API-gateway skill with automatic OAuth token injection, omission of this warning increases the chance that an agent or user invokes state-changing operations without explicit confirmation or awareness of side effects.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The documented response-reading endpoints can expose submitted form answers, which may contain personal, confidential, or otherwise sensitive user data, yet the reference provides no privacy warning. Because the skill proxies requests with managed authentication, an agent could retrieve respondent data more easily than a user realizes, increasing the risk of unintended data exposure.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: This reference exposes privacy-sensitive and destructive Gmail capabilities such as listing messages, retrieving message contents, sending mail, modifying labels, trashing messages, and managing drafts, while providing no cautionary guidance about user consent, least privilege, or confirmation before high-risk actions. In an agent skill context with automatic OAuth injection, this can normalize unsafe use of mailbox access and increase the chance that an agent performs sensitive or destructive actions without adequate user awareness or confirmation.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The reference exposes endpoints for conference records, participants, recordings, and transcripts, which are highly sensitive collaboration data, but provides no warning about privacy, consent, retention, or access-control expectations. In an API gateway skill that enables easy access to third-party APIs, this omission can normalize retrieval of sensitive meeting artifacts without prompting the agent or user to consider legal, organizational, or least-privilege constraints.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The documented `:endActiveConference` endpoint performs a disruptive action that can immediately terminate a live meeting, yet the reference includes no warning about user impact, authorization sensitivity, or confirmation requirements. In a gateway skill, this increases the risk that an agent treats the operation like a routine API call and ends active conferences accidentally or without adequate user confirmation.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The reference documents destructive Google Play operations such as deleting in-app products without any warning, confirmation guidance, or explanation of irreversible business impact. In an API-gateway skill intended to help agents call third-party services, this increases the chance an agent or user triggers harmful state-changing actions against production app assets.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: Stating that authentication is automatic and the router injects the OAuth token, without clarifying authorization boundaries or least-privilege expectations, can encourage over-trusting the gateway and obscure the sensitivity of delegated third-party access. In an API gateway skill that fronts external services, this increases the risk of unintended access to user spreadsheets or broader data exposure if callers assume any referenced operation is implicitly approved.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The reference documents destructive operations such as deleting forms and submissions without any caution about irreversibility, confirmation requirements, or user-consent expectations. In an API-gateway skill that may be invoked by an agent, this increases the risk that an unsafe prompt or ambiguous user request could trigger permanent data loss.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The webhook creation guidance omits any warning that form submissions and related metadata may be sent to an external destination controlled by the provided URL. In this skill context, that can facilitate unintended data exfiltration or silent forwarding of sensitive form responses to third-party systems.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The reference documents multiple mutating Notion operations such as updating data sources, creating pages, archiving pages, appending/updating blocks, and deleting blocks, but it provides no safety guidance about confirming user intent before modifying workspace content. In an agent skill, this increases the chance that downstream agents will perform destructive or irreversible actions based on ambiguous prompts, causing unintended data loss or unauthorized changes.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The reference documents multiple state-changing Outlook operations such as sending mail, deleting messages, deleting events, deleting contacts, moving messages, and creating records, but it provides no warning that these actions can irreversibly modify user data or send communications on the user's behalf. In an agent skill context, omission of safety guidance increases the risk that downstream agents or users will invoke destructive endpoints without confirmation, especially because the skill is explicitly meant to broker third-party API actions with managed auth.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal