Maton MCP Tools
PassAudited by ClawScan on May 10, 2026.
Overview
This is a coherent Maton SaaS/OAuth integration, but it handles a Maton API key, delegates access to connected apps, and asks users to modify the Clawdbot gateway, so it should be reviewed before use.
Before installing, confirm you trust Maton and the skill source, review the complete reference code you will copy into Clawdbot, and carefully check OAuth scopes for each connected app. The static secret warning appears to be a false positive from an API-key example, not an exposed real secret in the provided artifacts.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone configuring this skill is trusting Maton and the gateway integration with access to manage connected app authorizations.
The skill requires a Maton API key and uses it to manage OAuth connections. This is expected for the stated purpose, but it grants delegated authority over connected SaaS accounts.
**API Key** — Get your API key from the Maton dashboard
Use a Maton key you trust, review connected app scopes during OAuth, rotate keys periodically, and disconnect apps you no longer need.
A mistaken or unintended delete action could remove a SaaS app connection and require reauthorization.
The backend exposes a deletion operation for Maton connections. This matches the documented connection-management purpose, but it is a mutating account action.
"maton.delete": async ({ respond, params }) => { ... `/connections/${encodeURIComponent(connectionId)}` ... { method: "DELETE" }Keep connection creation/deletion user-initiated, consider adding an explicit confirmation step, and review connection changes regularly.
Installing the integration changes local gateway/UI code, so bugs or unreviewed changes could affect the dashboard or gateway behavior.
Installation requires manually copying reference code into the gateway and rebuilding/restarting it. This is disclosed and purpose-aligned, but it expands the trusted codebase.
Copy `maton-backend.ts` to `src/gateway/server-methods/maton.ts`.
Inspect the complete reference files before copying them, back up local changes, and verify the package/source provenance before integrating into a production gateway.
Connected services such as Gmail, Drive, Slack, Notion, or HubSpot may become accessible through Maton's platform according to the scopes granted during OAuth.
The integration delegates OAuth token handling for connected SaaS apps to Maton. This is central to the product, but it creates an external data and trust boundary.
**OAuth Tokens** | Managed by Maton (automatic refresh)
Review Maton's privacy/security posture and the OAuth scopes for each app before authorizing, and disconnect integrations that are no longer needed.