Api Gateway.Bak

Security checks across malware telemetry and agentic risk

Overview

This skill is a broad API gateway for real connected accounts, but it gives agents high-impact read/write/delete and outbound-action power without enough scoping or confirmation guidance.

Install only if you trust Maton with brokerage access to your connected services and can enforce your own safeguards. Use least-privilege connections, prefer read-only scopes where possible, require explicit confirmation before any write/delete/send/publish/payment/admin action, and be careful with API-key-based providers because they may not have the same user-scoped OAuth protections.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (65)

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The README states that authentication is automatic via a router-injected API key, which conflicts with the declared security model that third-party access requires explicit per-service user OAuth authorization. This can mislead downstream agents or developers into believing requests are already authorized and safe to send, increasing the risk of unauthorized data access attempts, confused-deputy behavior, or improper trust in implicit credentials.

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The reference explicitly states that Baserow uses API_KEY authentication rather than OAuth, which conflicts with the skill metadata claiming a managed-OAuth security model for connected services. This mismatch can cause the agent or user to assume stronger authorization boundaries than actually exist, increasing the risk of mishandling long-lived database tokens or exposing broader direct API access than expected.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The README explicitly states that the Manus connection uses API_KEY authentication, which conflicts with the skill metadata claim that third-party services require explicit user OAuth authorization through Maton's connect flow. This inconsistency can mislead downstream agents or users into assuming stronger user-consent boundaries than actually exist, increasing the risk of unauthorized access to a directly keyed third-party API.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The README explicitly states that the Reducto connection uses API_KEY authentication rather than user-scoped OAuth, which materially conflicts with the skill metadata claim that third-party services require explicit OAuth authorization through Maton's connect flow. This can mislead downstream agents or users into sending documents to an external service under broader, centrally managed credentials, creating unauthorized third-party data access and trust-boundary confusion.

Missing User Warnings

Medium

Confidence: 79% confidence
Finding: The skill exposes broad read/write access to many third-party APIs and includes mutating examples such as posting Slack messages and creating HubSpot contacts, but the quick-start and examples do not consistently foreground that user data will be transmitted to external services and that actions may mutate external state. In an agent setting, this can increase the risk of unintended external side effects if invoked without explicit user confirmation.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The reference documents create, update, replace, and delete Airtable operations without any caution that these actions modify or permanently remove user data. In an agent skill context, documentation often directly shapes tool usage, so omission of confirmation or safety guidance increases the chance an agent will perform destructive actions without explicit user intent.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The README documents write operations such as creating contacts/accounts and updating contacts without any caution that these actions modify live third-party CRM data. In an agent setting, omission of mutation warnings can cause automated or accidental state changes in a user's external systems without meaningful confirmation or awareness.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: Adding contacts to sequences is not just a passive data operation; it can trigger outreach workflows and downstream business actions. Without a warning, an agent may treat it like a harmless update and enroll people into campaigns unexpectedly, creating privacy, compliance, and reputational risk.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The README broadly describes authenticated access to Apollo endpoints, including person and contact enrichment/search, without warning that user/customer data will be transmitted to a third-party service. In a cross-service agent platform, this omission can cause operators or agents to underestimate privacy and data-handling implications of sending PII or business records to Apollo.

Missing User Warnings

Medium

Confidence: 79% confidence
Finding: The webhook example sends Asana event data to an arbitrary external target URL but does not warn that project/task metadata may be transmitted off-platform. In an agent setting, omission of this warning can lead to unintended data exfiltration or disclosure if a user or model configures a webhook to an untrusted endpoint.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The README documents numerous state-changing operations such as create, update, archive, cancel, enroll, upload, and delete actions, but provides no warning that these calls mutate production data or may have irreversible effects. In an agent skill that connects to real third-party SaaS accounts via OAuth, this increases the chance an automated agent or user invokes destructive operations without explicit confirmation or understanding of the impact.

Missing User Warnings

Medium

Confidence: 81% confidence
Finding: The README documents irreversible DELETE operations for Clio records without any caution about confirmation, authorization checks, or data-loss consequences. In an agent skill that can drive real third-party APIs, omission of safety guidance increases the chance an agent or user triggers destructive actions on production legal data unintentionally.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The reference documentation exposes many state-changing and destructive endpoints (POST, PUT, PATCH, DELETE) without any warning that invoking them can create, modify, archive, stop timers, or permanently delete user data. In an agent skill context, this increases the chance that an LLM or user triggers side effects unintentionally, especially when the README presents mutating operations alongside read-only ones with no confirmation guidance.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The documentation explicitly includes create, update, and delete Confluence operations but does not warn that these actions can modify or permanently remove user content. In an agent skill that brokers authenticated access to third-party services, this omission increases the chance an agent or user will invoke destructive operations without adequate confirmation or understanding of impact.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The README provides ready-to-use examples for creating campaigns, creating contacts, and deleting contacts without any guidance about destructive actions, consent requirements, or the handling of personal data. In an agent/tooling context, this can normalize unsafe automation of marketing and contact-management actions and increase the chance of unauthorized or privacy-impacting operations against a user's Constant Contact account.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: Stating that authentication is automatic because the router injects the OAuth token omits an important trust-boundary warning: requests are executed against an external service using the user's connected account. In an agent skill, this can cause users or downstream integrators to underestimate that actions will occur live with real credentials and real account data.

Missing User Warnings

Medium

Confidence: 85% confidence
Finding: The reference documents state-changing and potentially destructive operations like creating contacts, deleting contacts, and sending newsletters without any caution about user consent, privacy implications, or irreversible effects. In an agent/tooling context, this can normalize unsafe invocation of marketing actions against real user data and increase the chance of accidental spam, unauthorized contact management, or privacy-impacting actions.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The documentation includes live Google Ads mutate examples that create and modify campaigns but does not warn that these operations can change production advertising resources and spend money. In an agent skill that brokers authenticated access to third-party APIs, omission of confirmation/safety guidance increases the risk of accidental destructive or costly actions by downstream agents or users.

Missing User Warnings

Low

Confidence: 84% confidence
Finding: Stating that authentication is automatic without clarifying that requests use the user's authorized OAuth connection can encourage over-trusting or invisible use of credentialed access. In this skill context, the router can act on real third-party accounts, so the docs should clearly signal that authenticated requests may read or modify user data in connected services.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The README prominently documents state-changing operations such as creating properties, data streams, custom dimensions, custom metrics, conversion events, measurement protocol secrets, and updating properties, but it does not clearly warn that these actions will modify a user's live Google Analytics configuration. In an agent skill context, this omission is risky because a user or downstream agent may treat the examples as routine retrieval calls and unintentionally make persistent administrative changes to production analytics resources.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: Saying that authentication is automatic and the router injects the OAuth token, without also warning that requests execute with the user's authorized Google Analytics privileges, can obscure the security boundary. In this skill ecosystem, that increases the chance of silent over-trust: an agent may send administrative requests assuming the platform credential is harmless, when in fact the action will be performed against the user's connected Google account and authorized GA resources.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The README explicitly documents destructive and access-changing operations such as delete and permission creation, but provides no caution about confirmation requirements, least-privilege use, or the consequences to user data and sharing exposure. In an agent skill context, this can normalize unsafe invocation patterns and increase the chance an agent or developer uses high-impact endpoints without adequate safeguards.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The reference documentation exposes destructive and privilege-changing Google Workspace Admin operations such as deleting users and making users admins without any warning about user impact, authorization expectations, or confirmation safeguards. In an agent skill context, this increases the chance an LLM or integrator will invoke sensitive admin actions too casually, leading to accidental account deletion or privilege escalation against authorized tenants.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The README explicitly documents state-changing LinkedIn actions such as creating public posts, creating ad accounts, campaign groups, and campaigns, but it does not prominently warn that these operations can publish content or modify advertising resources on behalf of the user. In an agent skill context, this increases the risk that an agent will treat these endpoints as routine API calls and perform irreversible or user-visible actions without an explicit confirmation step.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The documentation explicitly demonstrates persistent workbook modifications and destructive operations such as deleting worksheets and table rows, but it provides no warning that these actions can irreversibly alter user data. In an agent skill context, this increases the chance that an agent will perform write or delete actions without clearly informing the user or obtaining confirmation first.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal