Is claude-connect safe?
https://clawhub.ai/TunaIssaCoding/claude-connect
This skill is a Google Tasks API wrapper that routes all traffic through maton.ai as a third-party gateway, which holds and manages users' Google OAuth tokens. While the skill contains no malicious code, executable files, or active exfiltration mechanisms, the architectural design creates a significant trust dependency on maton.ai, which has full visibility into all task data and persistent access to users' Google accounts. The skill also normalizes agent code execution patterns and cross-skill chaining.
Category Scores
Findings (10)
HIGH All API traffic routed through third-party gateway -30 ▶
Every Google Tasks API call is proxied through gateway.maton.ai rather than going directly to tasks.googleapis.com. The gateway 'automatically injects your OAuth token', meaning maton.ai holds and manages the user's Google OAuth credentials. This gives the gateway operator full visibility into all task data (titles, notes, due dates) and persistent access to the user's Google account.
HIGH Third-party manages OAuth credentials -15 ▶
OAuth connection lifecycle (create, list, delete) is managed through ctrl.maton.ai. Users complete OAuth authorization via connect.maton.ai, meaning the third party is the OAuth client receiving the authorization grant. The user never directly holds their own Google OAuth tokens.
MEDIUM Cross-skill chaining directive -10 ▶
The skill description explicitly directs the agent to use another skill (api-gateway) for other third-party apps, which could be leveraged to chain-load additional skills with broader permissions.
MEDIUM Inline executable code patterns normalize code execution -10 ▶
SKILL.md contains numerous Python heredoc blocks with urllib.request calls designed to be copy-executed by the agent. While these are standard API examples, they train the agent to execute arbitrary Python code blocks as a normal interaction pattern.
MEDIUM Agent-executable Python code blocks in SKILL.md -20 ▶
The skill provides Python code blocks using heredoc syntax that are intended to be directly executed by the agent. While no standalone executable files exist in the repo, the SKILL.md itself serves as a vehicle for code execution through the agent.
MEDIUM Environment variable access required -15 ▶
The skill requires the agent to access and transmit the MATON_API_KEY environment variable in every API call. This normalizes environment variable access patterns that could be exploited by other skills or prompt injections.
MEDIUM Behavioral steering through troubleshooting instructions -10 ▶
The troubleshooting section instructs the agent to run 'echo $MATON_API_KEY' to verify the key is set, and to make diagnostic API calls. This could expose the API key in logs or terminal output.
LOW Ecosystem lock-in amplifies trust surface -15 ▶
The skill is part of a broader maton.ai ecosystem with a generic api-gateway skill. As users install more maton.ai skills, the gateway operator accumulates access across multiple services (Google Tasks, plus others), enabling cross-service user profiling.
LOW Host agent reads sensitive files during install -10 ▶
During installation, the host agent runtime read .env, .aws/credentials, .profile, and .bashrc. This appears to be the openclaw agent runtime behavior rather than the skill itself, but it indicates the execution environment has access to sensitive files.
INFO Persistent third-party access to Google account -30 ▶
Once an OAuth connection is created through maton.ai, the gateway retains persistent access to the user's Google Tasks data. The user must explicitly delete the connection via ctrl.maton.ai to revoke access. The skill does not mention token expiry or access scoping.