Maxun

WarnAudited by ClawScan on May 10, 2026.

Overview

The Maxun integration is mostly purpose-aligned, but it asks users to enable unrestricted no-confirmation shell execution and its helper script can execute a local .env file.

Only install this if you trust the Maxun account integration and can keep exec permissions constrained. Avoid the suggested full/no-confirmation exec setup, do not run it from directories with untrusted `.env` files, and verify that any `MAXUN_BASE_URL` points to a trusted Maxun endpoint.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

High

#ASI02: Tool Misuse and Exploitation

What this means

If applied, the agent may be able to run shell commands without asking, increasing the impact of mistakes or prompt-injection attempts.

Why it was flagged

The setup instructions ask users to grant full shell execution with confirmations disabled. That is broader than the skill’s narrow Maxun API actions require.

Skill content

"exec": { "host": "gateway", "security": "full", "ask": "off" }

Recommendation

Do not enable global full/no-confirmation exec for this skill. Use a narrowly scoped command wrapper or keep approval prompts on for shell execution.

High

#ASI05: Unexpected Code Execution

What this means

Running the Maxun command from a directory containing an untrusted `.env` file could execute code on the user’s machine.

Why it was flagged

The helper script automatically sources `.env` from the current directory. In shell, `source .env` can execute arbitrary shell code, not just load variables.

Skill content

if [ -f .env ]; then
  set -a
  source .env
  set +a
fi

Recommendation

Avoid sourcing arbitrary `.env` files. Load only trusted configuration from a fixed path, or parse simple key/value lines without executing shell syntax.

Medium

#ASI03: Identity and Privilege Abuse

What this means

A misconfigured or malicious environment could cause the Maxun API key to be sent somewhere other than the intended Maxun service.

Why it was flagged

The script sends the Maxun API key to a configurable base URL. This can be legitimate for self-hosting, but it is not declared in the metadata and, combined with local `.env` sourcing, could redirect the key to an unintended endpoint.

Skill content

BASE_URL="${MAXUN_BASE_URL:-https://app.maxun.dev}"
API_KEY="${MAXUN_API_KEY:-}"
AUTH_HEADER="x-api-key: $API_KEY"
...
curl -sf -H "$AUTH_HEADER" ... "$BASE_URL$1"

Recommendation

Only use a trusted `MAXUN_BASE_URL`, document it clearly, and consider validating the destination or requiring explicit user approval when it is not the default Maxun URL.

Low

#ASI03: Identity and Privilege Abuse

What this means

The skill can act on the user’s Maxun account within whatever permissions the API key grants.

Why it was flagged

The skill requires a Maxun API key, which is expected for listing and running robots through the Maxun API.

Skill content

requires:
  env:
    - MAXUN_API_KEY
...
primaryEnv: MAXUN_API_KEY

Recommendation

Use a dedicated, least-privilege Maxun API key if available, and revoke it if the skill is no longer needed.