jef1test 安全扫描报告 — 可疑 | ClawSafe

45 /100

jef1test

API Gateway - Connect to 100+ APIs with managed OAuth

Legitimate API gateway proxy with significant privacy implications due to MITM architecture routing all third-party service data through maton.ai infrastructure.

技能名称jef1test

分析耗时34.8s

引擎pi

⚠

谨慎使用

Users should understand that all API calls are routed through maton.ai servers, enabling visibility into all request/response data. Ensure maton.ai is a trusted provider before granting OAuth access to sensitive services.

安全发现 3 项

严重性	安全发现	位置
中危	All API data routed through third-party proxy 数据外泄 The gateway architecture routes all API calls through gateway.maton.ai, enabling maton.ai to observe, log, and potentially store all request/response data for connected third-party services. `https://gateway.maton.ai/{app}/{native-api-path}` → Users should verify maton.ai's data handling policies and ensure this MITM architecture is acceptable for their use case, especially for sensitive services like email, CRM, or financial APIs.	`SKILL.md:1`
中危	Unified OAuth token aggregation 敏感访问 Single MATON_API_KEY provides access to manage OAuth connections for 100+ services. If compromised, attacker gains ability to initiate OAuth flows or access all connected services. `Connect to 100+ APIs (Google Workspace, Microsoft 365, GitHub, Notion, Slack, Airtable, HubSpot, etc.)` → Consider using separate credentials per service category to limit blast radius. Monitor for unauthorized connection creation.	`SKILL.md:1`
低危	Security claims may be understated 文档欺骗 SKILL.md states 'MATON_API_KEY authenticates with Maton.ai but grants NO access to third-party services by itself' - while technically true, the key enables gateway access which can leverage user's authorized OAuth tokens for all connected services. `Security: The MATON_API_KEY authenticates with Maton.ai but grants NO access to third-party services by itself.` → Clarify that while the API key alone doesn't grant service access, it enables the gateway which uses user's existing OAuth connections.	`SKILL.md:5`

资源类型	声明权限	推断权限	状态	证据
网络访问	`READ`	`READ`	✓ 一致	SKILL.md declares network access for API calls to gateway.maton.ai and ctrl.mato…
环境变量	`READ`	`READ`	✓ 一致	SKILL.md line 13: Requires MATON_API_KEY environment variable
文件系统	`NONE`	`NONE`	—	No file operations declared or present
命令执行	`NONE`	`NONE`	—	No shell execution in documentation or examples

26 项发现

🔗

中危外部 URL 外部 URL

https://maton.ai

SKILL.md:6

🔗

中危外部 URL 外部 URL

https://gateway.maton.ai/slack/api/chat.postMessage

SKILL.md:30

🔗

中危外部 URL 外部 URL

https://gateway.maton.ai/

SKILL.md:41

🔗

中危外部 URL 外部 URL

https://maton.ai/settings

SKILL.md:67

🔗

中危外部 URL 外部 URL

https://ctrl.maton.ai

SKILL.md:72

🔗

中危外部 URL 外部 URL

https://ctrl.maton.ai/connections?app=slack&status=ACTIVE

SKILL.md:79

🔗

中危外部 URL 外部 URL

https://connect.maton.ai/?session_token=5e9...

SKILL.md:98

🔗

中危外部 URL 外部 URL

https://ctrl.maton.ai/connections

SKILL.md:113

🔗

中危外部 URL 外部 URL

https://ctrl.maton.ai/connections/

SKILL.md:129

🔗

中危外部 URL 外部 URL

https://slack.com/api/chat.postMessage

SKILL.md:466

🔗

中危外部 URL 外部 URL

https://api.hubapi.com/crm/v3/objects/contacts

SKILL.md:480

🔗

中危外部 URL 外部 URL

https://gateway.maton.ai/hubspot/crm/v3/objects/contacts

SKILL.md:484

🔗

中危外部 URL 外部 URL

https://gateway.maton.ai/google-sheets/v4/spreadsheets/122BS1sFN2RKL8AOUQjkLdubzOwgqzPT64KfZ2rvYI4M/values/Sheet1!A1:B2

SKILL.md:497

🔗

中危外部 URL 外部 URL

https://gateway.maton.ai/salesforce/services/data/v64.0/query?q=SELECT+Id

SKILL.md:509

🔗

中危外部 URL 外部 URL

https://api.airtable.com/v0/meta/bases/

SKILL.md:518

🔗

中危外部 URL 外部 URL

https://gateway.maton.ai/airtable/v0/meta/bases/appgqan2NzWGP5sBK/tables

SKILL.md:521

🔗

中危外部 URL 外部 URL

https://api.notion.com/v1/data_sources/

SKILL.md:530

🔗

中危外部 URL 外部 URL

https://gateway.maton.ai/notion/v1/data_sources/23702dc5-9a3b-8001-9e1c-000b5af0a980/query

SKILL.md:534

🔗

中危外部 URL 外部 URL

https://api.stripe.com/v1/customers

SKILL.md:545

🔗

中危外部 URL 外部 URL

https://gateway.maton.ai/stripe/v1/customers?limit=10

SKILL.md:548

🔗

中危外部 URL 外部 URL

https://gateway.maton.ai/google-mail/gmail/v1/users/me/messages

SKILL.md:617

🔗

中危外部 URL 外部 URL

https://gateway.maton.ai/gmail/v1/users/me/messages

SKILL.md:618

🔗

中危外部 URL 外部 URL

https://ctrl.maton.ai/connections?app=google-mail&status=ACTIVE

SKILL.md:625

🔗

中危外部 URL 外部 URL

https://www.maton.ai/docs/api-reference

SKILL.md:660

🔗

中危外部 URL 外部 URL

https://discord.com/invite/dBfFAcefs2

SKILL.md:661

📧

提示邮箱邮箱地址

[email protected]

SKILL.md:662

目录结构

1 文件 · 32.1 KB · 662 行

Markdown 1f · 662L

└─ 📝 SKILL.md Markdown 662L · 32.1 KB

安全亮点

✓ No direct code execution or shell commands

✓ No credential harvesting beyond declared MATON_API_KEY requirement

✓ Documentation accurately describes the passthrough architecture

✓ No base64 encoding, obfuscation, or anti-analysis techniques

✓ No access to sensitive local paths (~/.ssh, ~/.aws, .env)

✓ No remote script execution (curl|bash, wget|sh)

✓ No hidden functionality - all capabilities declared in SKILL.md