Skill Trust Decision
jef1test
Legitimate API gateway proxy with significant privacy implications due to MITM architecture routing all third-party service data through maton.ai infrastructure.
Why this conclusion was reached
0/4 dimensions flagged Pass
Declared vs actual capability
Declared resources and inferred behavior are broadly aligned.
Review
Hidden execution and egress
26 lower-risk artifacts were extracted and still need context.
Pass
Attack chain and severe findings
There is no explicit malicious chain in the report.
Review
Dependencies and supply chain hygiene
Dependency information is incomplete, so supply-chain confidence stays limited.
What drove the risk score up
MITM architecture +20
All API calls pass through gateway.maton.ai, enabling service provider visibility into all data
Third-party OAuth aggregation +15
Unified access to 100+ services through single credential - high-value target
Credential dependency +10
MATON_API_KEY required and sent to maton.ai infrastructure
Most important evidence
Medium Data Exfil
All API data routed through third-party proxy
The gateway architecture routes all API calls through gateway.maton.ai, enabling maton.ai to observe, log, and potentially store all request/response data for connected third-party services.
SKILL.md:1 Users should verify maton.ai's data handling policies and ensure this MITM architecture is acceptable for their use case, especially for sensitive services like email, CRM, or financial APIs.
Medium Sensitive Access
Unified OAuth token aggregation
Single MATON_API_KEY provides access to manage OAuth connections for 100+ services. If compromised, attacker gains ability to initiate OAuth flows or access all connected services.
SKILL.md:1 Consider using separate credentials per service category to limit blast radius. Monitor for unauthorized connection creation.
Low Doc Mismatch
Security claims may be understated
SKILL.md states 'MATON_API_KEY authenticates with Maton.ai but grants NO access to third-party services by itself' - while technically true, the key enables gateway access which can leverage user's authorized OAuth tokens for all connected services.
SKILL.md:5 Clarify that while the API key alone doesn't grant service access, it enables the gateway which uses user's existing OAuth connections.
Declared capability vs actual capability
Network Pass
Declared READ
→ Inferred READ
SKILL.md declares network access for API calls to gateway.maton.ai and ctrl.maton.ai Environment Pass
Declared READ
→ Inferred READ
SKILL.md line 13: Requires MATON_API_KEY environment variable Filesystem Pass
Declared NONE
→ Inferred NONE
No file operations declared or present Shell Pass
Declared NONE
→ Inferred NONE
No shell execution in documentation or examples Suspicious artifacts and egress
Medium External URL
https://maton.ai SKILL.md:6
Medium External URL
https://gateway.maton.ai/slack/api/chat.postMessage SKILL.md:30
Medium External URL
https://gateway.maton.ai/ SKILL.md:41
Medium External URL
https://maton.ai/settings SKILL.md:67
Medium External URL
https://ctrl.maton.ai SKILL.md:72
Medium External URL
https://ctrl.maton.ai/connections?app=slack&status=ACTIVE SKILL.md:79
Medium External URL
https://connect.maton.ai/?session_token=5e9... SKILL.md:98
Medium External URL
https://ctrl.maton.ai/connections SKILL.md:113
Medium External URL
https://ctrl.maton.ai/connections/ SKILL.md:129
Medium External URL
https://slack.com/api/chat.postMessage SKILL.md:466
Medium External URL
https://api.hubapi.com/crm/v3/objects/contacts SKILL.md:480
Medium External URL
https://gateway.maton.ai/hubspot/crm/v3/objects/contacts SKILL.md:484
Dependencies and supply chain
There are no structured dependency warnings.
File composition
1 files · 662 lines
Markdown 1 files · 662 lines
Files of concern · 1
SKILL.md All API data routed through third-party proxy · Unified OAuth token aggregation · Security claims may be understated · https://maton.ai · https://gateway.maton.ai/slack/api/chat.postMessage · https://gateway.maton.ai/ · https://maton.ai/settings · https://ctrl.maton.ai · https://ctrl.maton.ai/connections?app=slack&status=ACTIVE · https://connect.maton.ai/?session_token=5e9... · https://ctrl.maton.ai/connections · https://ctrl.maton.ai/connections/ · https://slack.com/api/chat.postMessage · https://api.hubapi.com/crm/v3/objects/contacts · https://gateway.maton.ai/hubspot/crm/v3/objects/contacts · https://gateway.maton.ai/google-sheets/v4/spreadsheets/122BS1sFN2RKL8AOUQjkLdubzOwgqzPT64KfZ2rvYI4M/values/Sheet1!A1:B2 · https://gateway.maton.ai/salesforce/services/data/v64.0/query?q=SELECT+Id · https://api.airtable.com/v0/meta/bases/ · https://gateway.maton.ai/airtable/v0/meta/bases/appgqan2NzWGP5sBK/tables · https://api.notion.com/v1/data_sources/ · https://gateway.maton.ai/notion/v1/data_sources/23702dc5-9a3b-8001-9e1c-000b5af0a980/query · https://api.stripe.com/v1/customers · https://gateway.maton.ai/stripe/v1/customers?limit=10 · https://gateway.maton.ai/google-mail/gmail/v1/users/me/messages · https://gateway.maton.ai/gmail/v1/users/me/messages · https://ctrl.maton.ai/connections?app=google-mail&status=ACTIVE · https://www.maton.ai/docs/api-reference · https://discord.com/invite/dBfFAcefs2 · [email protected]
Security positives
No direct code execution or shell commands
No credential harvesting beyond declared MATON_API_KEY requirement
Documentation accurately describes the passthrough architecture
No base64 encoding, obfuscation, or anti-analysis techniques
No access to sensitive local paths (~/.ssh, ~/.aws, .env)
No remote script execution (curl|bash, wget|sh)
No hidden functionality - all capabilities declared in SKILL.md