Google seach console
Security checks across malware telemetry and agentic risk
Overview
The skill is mostly consistent with Google Search Console access, but it includes a hard-coded Maton connection ID and relies on OAuth/API-key access that is under-declared in the metadata.
Review before installing. Use only your own MATON_API_KEY and OAuth connection, replace the hard-coded connection ID with your own verified connection_id, and carefully approve any PUT or DELETE commands that could change sitemap or connection state.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user or agent might accidentally send requests against a non-user or unintended Maton OAuth connection, or expose/reuse an identifier tied to someone else's account setup.
The skill tells users how to select a specific OAuth connection but uses a concrete connection ID rather than a placeholder, creating an account-boundary risk if copied or invoked by an agent.
-H "Maton-Connection: 21fd90f9-5935-43cd-b6c8-bde9d915ca80"
Replace all concrete connection IDs with placeholders such as {connection_id}, and verify the selected connection belongs to the intended Google Search Console account before making requests.
Installing or using the skill requires trusting Maton with delegated Google Search Console access, even though the metadata does not clearly advertise a primary credential requirement.
The skill requires a Maton API key and delegated OAuth access, while the registry metadata declares no required env vars or primary credential. This appears purpose-aligned but under-declared.
All requests require the Maton API key: ... -H "Authorization: Bearer $MATON_API_KEY"
Only use a Maton API key and OAuth connection you control, and confirm the Google account and Search Console properties before authorizing.
A mistaken PUT or DELETE request could alter sitemap submission state or remove a Maton OAuth connection.
The skill documents mutating API operations for sitemaps and Maton connections. These actions are aligned with the stated management purpose, but they can change Search Console configuration.
# Submit sitemap ... -X PUT ... # Delete sitemap ... -X DELETE ... # Delete Connection ... -X DELETE
Review generated cURL commands before execution, especially PUT and DELETE requests, and use placeholders only after substituting the intended site URL, feed path, and connection.
Search analytics data, site URLs, and sitemap operations may be visible to or processed by the gateway provider as part of the integration.
Requests flow through Maton's gateway, which handles OAuth token injection. This is disclosed and purpose-aligned, but it means Search Console queries and responses pass through a third-party service boundary.
The gateway proxies requests to `www.googleapis.com` and automatically injects your OAuth token.
Review Maton's access, retention, and OAuth-scope practices before using the skill for sensitive or production Search Console properties.
Users have less external context for trusting the skill's instructions and the referenced Maton gateway workflow.
The skill has limited provenance information. There is no code or install script here, but users cannot verify the publisher through a source repository or homepage from the provided metadata.
Source: unknown; Homepage: none
Prefer skills with clear publisher provenance, or independently verify the service endpoints and documentation before using credentials.