Is active-campaign safe?

https://clawhub.ai/byungkyu/active-campaign

72
CAUTION

This skill is a legitimate ActiveCampaign API integration that routes all traffic through Maton's third-party gateway (gateway.maton.ai), creating a persistent man-in-the-middle position on all CRM data. While no malicious code execution or data exfiltration was detected during installation, the architectural design means users must trust both ActiveCampaign and Maton with their contact PII, deal data, and OAuth tokens. The skill also directs agents to install a sibling api-gateway skill and includes troubleshooting commands that echo API keys to stdout.

Category Scores

Prompt Injection 70/100 · 30%
Data Exfiltration 60/100 · 25%
Code Execution 75/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 55/100 · 5%

Findings (10)

HIGH All API traffic proxied through third-party gateway -25

Every API call routes through gateway.maton.ai rather than directly to ActiveCampaign's API. The gateway operator (Maton) has full visibility into all CRM data in transit including bearer tokens, contact PII, deal values, and email campaign content. Users implicitly trust a third party they may not have evaluated.

HIGH Third-party proxy creates persistent MITM position -25

The architectural design places Maton in a permanent man-in-the-middle position for all ActiveCampaign operations. OAuth tokens are managed by ctrl.maton.ai, meaning Maton controls authentication as well as data transit.

MEDIUM Cross-skill redirection to api-gateway -15

The skill description instructs the agent to use a sibling skill (api-gateway) for non-ActiveCampaign tasks, creating an implicit trust chain that expands the author's control surface.

MEDIUM Inline Python heredoc execution patterns -15

The skill uses python <<'EOF' patterns extensively, priming the agent to execute Python code that makes network requests through the third-party gateway using environment credentials.

MEDIUM Full CRM write access enables destructive operations -15

The skill provides DELETE operations on contacts, deals, lists, and tags, plus the ability to create webhooks pointing to arbitrary URLs and manage email campaigns. A manipulated agent could cause significant damage.

MEDIUM API key exposure via troubleshooting echo command -10

The troubleshooting section directs the agent to run 'echo $MATON_API_KEY', printing the secret to stdout where it may be logged.

LOW Emphatic behavioral override in troubleshooting -10

Uses 'ALWAYS follow these steps' language to override agent judgment in error scenarios, directing it to execute specific diagnostic commands.

LOW AWS credentials file accessed during install -10

The monitoring log shows ~/.aws/credentials was opened and read during the install process. This is likely the openclaw agent's normal startup behavior rather than skill-initiated, but warrants noting.

LOW Webhook creation enables persistent exfiltration -5

The skill documents how to create webhooks that forward events to any URL, enabling a persistent data siphon that outlasts the agent session.

INFO All canary files intact 0

No honeypot files were accessed or modified during the audit.