.Api Gateway.Disabled.20260401 113030

Security checks across malware telemetry and agentic risk

Overview

This is a broad API gateway that can act on many connected services, but its docs understate some credential models and safety boundaries for write, delete, posting, billing, and sensitive-data actions.

Install only if you trust Maton as a gateway for the services you connect. Use least-privilege connections, treat API-key-based integrations differently from OAuth integrations, and require explicit confirmation before any action that writes, deletes, sends messages, publishes content, changes billing or ads, shares files, registers webhooks, or processes sensitive documents.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (69)

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The README states that authentication is automatic because the router injects an API key, which can mislead an agent or developer into believing Apollo access does not require user-specific authorization. In the context of a gateway skill whose security model says third-party access must come from explicit user OAuth, this documentation mismatch can cause unauthorized requests, incorrect trust assumptions, or accidental bypass of consent expectations.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The README contradicts the skill-level security model by stating that Baserow uses API key authentication rather than the managed OAuth flow described for the skill. This is dangerous because database tokens may be handled outside the claimed consent/scoping model, creating a mismatch that can lead users or downstream agents to overtrust the integration and expose broader or differently governed access than expected.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The README explicitly states that fal.ai uses API key authentication, which conflicts with the skill metadata claiming this gateway uses managed OAuth and that the platform API key alone does not grant third-party access. That mismatch can mislead downstream agents or users into supplying raw third-party credentials outside the intended connect flow, undermining the skill's security model and creating a path for credential misuse or unauthorized external access.

Intent-Code Divergence

Medium

Confidence: 90% confidence
Finding: The README defines the HubSpot route pattern as limited to `/hubspot/crm/v3/objects/{objectType}/{endpoint}`, but later documents v4 association routes and non-object routes such as properties. That mismatch can cause downstream agents or users to make incorrect assumptions about what paths are allowed, weakening safety controls or validation logic built from the documentation.

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: The README explicitly states that the Manus connection uses API_KEY authentication, which contradicts the skill metadata claiming third-party access requires explicit user OAuth authorization. This kind of security-model mismatch is dangerous because agents or users may assume the integration is user-consented and scoped when it may instead rely on a broadly usable credential, increasing the risk of unauthorized access or misuse.

Intent-Code Divergence

High

Confidence: 96% confidence
Finding: The README explicitly states that the Reducto connection uses API_KEY authentication, which conflicts with the broader skill metadata claiming third-party services require explicit OAuth authorization by the user. In an API-gateway skill, this mismatch is security-relevant because it can cause operators or downstream agents to assume user-granted OAuth scoping exists when access may instead rely on a static credential with broader or less user-visible access.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The skill is designed as a generic passthrough to over 100 third-party APIs, and its trigger text says to use it whenever users want to interact with external services. That scope is so broad that an agent may invoke it for many unrelated requests, increasing the chance of unintended third-party actions or data disclosure through an over-selected tool.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The documentation prominently includes state-changing examples such as posting Slack messages, creating HubSpot contacts, creating connections, and deleting connections, but does not place an equivalent high-visibility warning that these actions can send, create, modify, or delete third-party data. In an agent setting, this increases the risk of accidental destructive or privacy-impacting actions from copied examples or autonomous tool use.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: This reference documents multiple state-changing and destructive operations such as creating, updating, and deleting contacts, tags, lists, and deals without any warning that these actions can alter or permanently remove customer data. In an agent skill that brokers authenticated access to third-party SaaS accounts, such omission increases the chance an agent or user invokes high-impact actions without confirmation or understanding of consequences.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The README documents write-capable operations such as creating contacts/accounts, updating records, and adding contacts to sequences without any warning that these actions modify external systems and may trigger outreach workflows. In an agent skill, omission of such cautions increases the chance that an LLM or integrator will perform state-changing actions without adequate user confirmation, causing unauthorized CRM changes, spam, or business-process disruption.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The examples include person enrichment, contact lookup, and email/message search involving personal data, but provide no privacy, minimization, or handling guidance. In a multi-API agent context, this can normalize collection and retrieval of PII without reminding developers or agents to ensure lawful basis, user authorization, and least-privilege handling of sensitive data.

Missing User Warnings

Medium

Confidence: 79% confidence
Finding: Documenting webhook creation without warning that events will be sent to an arbitrary external target URL increases the chance an agent or user may exfiltrate task or project metadata to an unintended destination. In an API-gateway skill that connects to user-authorized third-party data, outbound webhook registration is more sensitive than ordinary reads because it establishes ongoing data flow off-platform.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The upload-via-URL feature can cause the service to fetch remote content supplied by a caller, which creates privacy and trust risks such as unintended disclosure of internal URLs, ingestion of untrusted content, or confusion about what external resources the platform will contact. In an agent skill that proxies external APIs, failing to warn or constrain this increases the chance of unsafe use.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The README explicitly documents write-capable mutations such as creating posts with scheduling modes including immediate publication ('now') but provides no warning that these actions modify external third-party accounts. In an agent skill context, this increases the chance that an agent invokes a destructive or user-visible action without clear confirmation, causing unauthorized or unintended posting to connected social media channels.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The README documents capabilities to send SMS/MMS/voice messages and delete contacts, lists, templates, and email addresses, but it does not warn that these actions can incur charges, expose personal data, or irreversibly destroy user data. In an agent skill context, omission of such guardrails increases the chance an agent or user will invoke sensitive operations without adequate confirmation or awareness of privacy and operational consequences.

Missing User Warnings

Medium

Confidence: 85% confidence
Finding: The README explicitly documents state-changing operations including contact creation, campaign creation, updates, and deletion, but provides no warning that these actions modify customer data or may be irreversible. In an agent skill that connects to real third-party SaaS accounts via managed OAuth, this increases the chance an agent or integrator will invoke destructive actions without explicit user confirmation or safety checks.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The README describes use of the Dropbox-API-Select-User header to access files on behalf of a member, but provides no warning about privacy, auditability, or the need for explicit authorization. In an agent skill context, this can normalize impersonation-style access and lead downstream systems to retrieve employee files without adequate consent, justification, or admin-policy enforcement.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The README tells users the service uses API key authentication and discusses sending prompts, images, videos, and webhook URLs to an external provider, but omits warnings about secret handling, data sharing, retention, and privacy risks. In an API-gateway skill that connects to many external services, this lack of guidance increases the chance that users or agents expose credentials or transmit sensitive media/prompts to a third party without informed consent.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The README documents powerful scraping, crawling, extraction, browser, and agent capabilities but provides no safety guidance about privacy, consent, robots/terms compliance, data handling, or impact on third-party sites. In an agent skill that connects users to external services, this omission can encourage unsafe automation against arbitrary websites and lead to collection or transmission of sensitive data without adequate user awareness.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README includes concrete mutate examples for creating campaigns and enabling campaign status without any caution that these operations modify live Google Ads resources and may incur real spend. In an API gateway skill that brokers authenticated access to user-authorized third-party services, such examples can normalize or encourage state-changing actions without prompting for confirmation, increasing the risk of accidental ad activation or budgeted campaign creation.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The README explicitly documents destructive deletion and permission-sharing operations but provides no warnings, confirmation guidance, or safe-usage constraints. In an agent skill context, this increases the chance that an agent or user invokes high-impact actions without understanding they can delete files or broaden access to third parties.

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The README advertises operations that can send email and modify mailbox state, including trashing messages, changing labels, and sending drafts, but it provides no warning that these actions are state-changing and may affect user data. In an agent skill context, this increases the risk that downstream agents or users invoke destructive or privacy-impacting actions without adequate confirmation or awareness.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: Saying that authentication is automatic and the router injects the OAuth token normalizes silent access to Gmail data without clarifying that mailbox contents and metadata become accessible once a user has authorized the connection. In an agent-integrated API gateway, this can mislead implementers into underestimating the privacy sensitivity of email access and encourage actions against live user data without sufficient disclosure or approval flows.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README explicitly documents endpoints for participants, recordings, transcripts, and transcript entries, which are highly privacy-sensitive meeting artifacts, but provides no warning about consent, data sensitivity, retention, or access-control expectations. In an API gateway skill that simplifies access to many third-party services, this omission can normalize collection or exposure of sensitive communications data and increase the likelihood of misuse by downstream agents or users.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The README documents an endpoint that can immediately terminate an active conference without warning that it is a disruptive, user-impacting action. In a generic API-integration skill, exposing such a destructive operation without caution or confirmation guidance increases the risk of accidental or unauthorized meeting disruption.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal