Back to skill
Skillv1.0.0
ClawScan security
google · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 15, 2026, 7:10 PM
- Verdict
- Benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only Google Drive integration that consistently uses a Maton API gateway and only requires a single MATON_API_KEY; it appears coherent with its stated purpose, but there are metadata inconsistencies and you should only proceed if you trust the Maton service that will proxy your Drive access.
- Guidance
- This skill appears to do what it claims (it proxies Drive API calls through Maton), but before installing: (1) confirm you trust maton.ai (the gateway operator) because MATON_API_KEY + the gateway can access your Google Drive data; (2) verify the Maton service's privacy/security documentation and token/connection revocation process; (3) consider using a least-privilege Google account or a test Drive when trying it; (4) rotate and revoke the MATON_API_KEY if you stop using the skill; (5) note small metadata inconsistencies across files (owner IDs and version strings differ) and lack of a homepage—ask the publisher for authoritative source/homepage or repository if you need stronger provenance before proceeding.
Review Dimensions
- Purpose & Capability
- okThe name/description (Google Drive integration) align with the runtime instructions: all examples call gateway.maton.ai and ctrl.maton.ai to manage Google Drive via a managed OAuth flow. Requiring MATON_API_KEY is consistent with using a Maton-managed gateway rather than direct Google credentials.
- Instruction Scope
- okSKILL.md is instruction-only and limits actions to HTTP calls to Maton endpoints (gateway.maton.ai, ctrl.maton.ai, connect.maton.ai) which proxy to Google Drive. The instructions do not ask the agent to read arbitrary local files, other environment variables, or system state beyond MATON_API_KEY.
- Install Mechanism
- okNo install spec and no code files are executed by the platform; the skill is instruction-only, which minimizes on-disk install risk.
- Credentials
- noteOnly MATON_API_KEY is required, which is proportional to a gateway-based integration. However, that single key grants Maton-controlled access to your Google Drive (the gateway injects OAuth tokens), so the key is high-value — treat it like a credential for Drive access and only provide it to a trusted operator.
- Persistence & Privilege
- okalways is false and the skill does not request persistent or cross-skill configuration changes. The skill can be invoked autonomously by the agent (platform default), which is expected for a callable skill; this is not by itself a concern.