critical
suspicious.exposed_secret_literal
- Location
- reference/README.md:120
- Finding
- File appears to expose a hardcoded API secret or token.
Maton MCP Tools
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.exposed_secret_literal
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
Anyone configuring this skill is trusting Maton and the gateway integration with access to manage connected app authorizations.
Why it was flagged
The skill requires a Maton API key and uses it to manage OAuth connections. This is expected for the stated purpose, but it grants delegated authority over connected SaaS accounts.
Skill content
**API Key** — Get your API key from the Maton dashboard
Recommendation
Use a Maton key you trust, review connected app scopes during OAuth, rotate keys periodically, and disconnect apps you no longer need.
What this means
A mistaken or unintended delete action could remove a SaaS app connection and require reauthorization.
Why it was flagged
The backend exposes a deletion operation for Maton connections. This matches the documented connection-management purpose, but it is a mutating account action.
Skill content
"maton.delete": async ({ respond, params }) => { ... `/connections/${encodeURIComponent(connectionId)}` ... { method: "DELETE" }Recommendation
Keep connection creation/deletion user-initiated, consider adding an explicit confirmation step, and review connection changes regularly.
What this means
Installing the integration changes local gateway/UI code, so bugs or unreviewed changes could affect the dashboard or gateway behavior.
Why it was flagged
Installation requires manually copying reference code into the gateway and rebuilding/restarting it. This is disclosed and purpose-aligned, but it expands the trusted codebase.
Skill content
Copy `maton-backend.ts` to `src/gateway/server-methods/maton.ts`.
Recommendation
Inspect the complete reference files before copying them, back up local changes, and verify the package/source provenance before integrating into a production gateway.
What this means
Connected services such as Gmail, Drive, Slack, Notion, or HubSpot may become accessible through Maton's platform according to the scopes granted during OAuth.
Why it was flagged
The integration delegates OAuth token handling for connected SaaS apps to Maton. This is central to the product, but it creates an external data and trust boundary.
Skill content
**OAuth Tokens** | Managed by Maton (automatic refresh)
Recommendation
Review Maton's privacy/security posture and the OAuth scopes for each app before authorizing, and disconnect integrations that are no longer needed.