jef1test Security Report — Suspicious | ClawSafe

45 /100

jef1test

API Gateway - Connect to 100+ APIs with managed OAuth

Legitimate API gateway proxy with significant privacy implications due to MITM architecture routing all third-party service data through maton.ai infrastructure.

Skill Namejef1test

Duration34.8s

Enginepi

⚠

Use with caution

Users should understand that all API calls are routed through maton.ai servers, enabling visibility into all request/response data. Ensure maton.ai is a trusted provider before granting OAuth access to sensitive services.

Findings 3 items

Severity	Finding	Location
Medium	All API data routed through third-party proxy Data Exfil The gateway architecture routes all API calls through gateway.maton.ai, enabling maton.ai to observe, log, and potentially store all request/response data for connected third-party services. `https://gateway.maton.ai/{app}/{native-api-path}` → Users should verify maton.ai's data handling policies and ensure this MITM architecture is acceptable for their use case, especially for sensitive services like email, CRM, or financial APIs.	`SKILL.md:1`
Medium	Unified OAuth token aggregation Sensitive Access Single MATON_API_KEY provides access to manage OAuth connections for 100+ services. If compromised, attacker gains ability to initiate OAuth flows or access all connected services. `Connect to 100+ APIs (Google Workspace, Microsoft 365, GitHub, Notion, Slack, Airtable, HubSpot, etc.)` → Consider using separate credentials per service category to limit blast radius. Monitor for unauthorized connection creation.	`SKILL.md:1`
Low	Security claims may be understated Doc Mismatch SKILL.md states 'MATON_API_KEY authenticates with Maton.ai but grants NO access to third-party services by itself' - while technically true, the key enables gateway access which can leverage user's authorized OAuth tokens for all connected services. `Security: The MATON_API_KEY authenticates with Maton.ai but grants NO access to third-party services by itself.` → Clarify that while the API key alone doesn't grant service access, it enables the gateway which uses user's existing OAuth connections.	`SKILL.md:5`

Resource	Declared	Inferred	Status	Evidence
Network	`READ`	`READ`	✓ Aligned	SKILL.md declares network access for API calls to gateway.maton.ai and ctrl.mato…
Environment	`READ`	`READ`	✓ Aligned	SKILL.md line 13: Requires MATON_API_KEY environment variable
Filesystem	`NONE`	`NONE`	—	No file operations declared or present
Shell	`NONE`	`NONE`	—	No shell execution in documentation or examples

26 findings

🔗

Medium External URL 外部 URL

https://maton.ai

SKILL.md:6

🔗

Medium External URL 外部 URL

https://gateway.maton.ai/slack/api/chat.postMessage

SKILL.md:30

🔗

Medium External URL 外部 URL

https://gateway.maton.ai/

SKILL.md:41

🔗

Medium External URL 外部 URL

https://maton.ai/settings

SKILL.md:67

🔗

Medium External URL 外部 URL

https://ctrl.maton.ai

SKILL.md:72

🔗

Medium External URL 外部 URL

https://ctrl.maton.ai/connections?app=slack&status=ACTIVE

SKILL.md:79

🔗

Medium External URL 外部 URL

https://connect.maton.ai/?session_token=5e9...

SKILL.md:98

🔗

Medium External URL 外部 URL

https://ctrl.maton.ai/connections

SKILL.md:113

🔗

Medium External URL 外部 URL

https://ctrl.maton.ai/connections/

SKILL.md:129

🔗

Medium External URL 外部 URL

https://slack.com/api/chat.postMessage

SKILL.md:466

🔗

Medium External URL 外部 URL

https://api.hubapi.com/crm/v3/objects/contacts

SKILL.md:480

🔗

Medium External URL 外部 URL

https://gateway.maton.ai/hubspot/crm/v3/objects/contacts

SKILL.md:484

🔗

Medium External URL 外部 URL

https://gateway.maton.ai/google-sheets/v4/spreadsheets/122BS1sFN2RKL8AOUQjkLdubzOwgqzPT64KfZ2rvYI4M/values/Sheet1!A1:B2

SKILL.md:497

🔗

Medium External URL 外部 URL

https://gateway.maton.ai/salesforce/services/data/v64.0/query?q=SELECT+Id

SKILL.md:509

🔗

Medium External URL 外部 URL

https://api.airtable.com/v0/meta/bases/

SKILL.md:518

🔗

Medium External URL 外部 URL

https://gateway.maton.ai/airtable/v0/meta/bases/appgqan2NzWGP5sBK/tables

SKILL.md:521

🔗

Medium External URL 外部 URL

https://api.notion.com/v1/data_sources/

SKILL.md:530

🔗

Medium External URL 外部 URL

https://gateway.maton.ai/notion/v1/data_sources/23702dc5-9a3b-8001-9e1c-000b5af0a980/query

SKILL.md:534

🔗

Medium External URL 外部 URL

https://api.stripe.com/v1/customers

SKILL.md:545

🔗

Medium External URL 外部 URL

https://gateway.maton.ai/stripe/v1/customers?limit=10

SKILL.md:548

🔗

Medium External URL 外部 URL

https://gateway.maton.ai/google-mail/gmail/v1/users/me/messages

SKILL.md:617

🔗

Medium External URL 外部 URL

https://gateway.maton.ai/gmail/v1/users/me/messages

SKILL.md:618

🔗

Medium External URL 外部 URL

https://ctrl.maton.ai/connections?app=google-mail&status=ACTIVE

SKILL.md:625

🔗

Medium External URL 外部 URL

https://www.maton.ai/docs/api-reference

SKILL.md:660

🔗

Medium External URL 外部 URL

https://discord.com/invite/dBfFAcefs2

SKILL.md:661

📧

Info Email 邮箱地址

[email protected]

SKILL.md:662

File Tree

1 files · 32.1 KB · 662 lines

Markdown 1f · 662L

└─ 📝 SKILL.md Markdown 662L · 32.1 KB

Security Positives

✓ No direct code execution or shell commands

✓ No credential harvesting beyond declared MATON_API_KEY requirement

✓ Documentation accurately describes the passthrough architecture

✓ No base64 encoding, obfuscation, or anti-analysis techniques

✓ No access to sensitive local paths (~/.ssh, ~/.aws, .env)

✓ No remote script execution (curl|bash, wget|sh)

✓ No hidden functionality - all capabilities declared in SKILL.md

Scan Report

Findings 3 items

File Tree

Security Positives