Is acuity-scheduling safe?

https://clawhub.ai/byungkyu/acuity-scheduling

72
CAUTION

This skill is a documentation-only Acuity Scheduling API wrapper that routes all traffic through a third-party gateway (Maton). It contains no executable code, no install hooks, and no malicious patterns. The primary risk is the man-in-the-middle architecture where all API calls including client PII flow through gateway.maton.ai, requiring users to trust both Acuity and Maton. A secondary concern is the cross-skill reference to api-gateway that could enable skill-chaining.

Category Scores

Prompt Injection 62/100 · 30%
Data Exfiltration 60/100 · 25%
Code Execution 75/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 55/100 · 5%

Findings (9)

MEDIUM All traffic proxied through third-party gateway -25

Every API call routes through gateway.maton.ai rather than directly to acuityscheduling.com. The Maton gateway sees all request/response data including client PII (names, emails, phones, appointment details). Users must trust Maton's infrastructure and privacy practices in addition to Acuity's.

MEDIUM Cross-skill reference enables chaining -20

The skill description explicitly directs the agent to install and use another skill (api-gateway) for 'other third party apps'. This cross-reference pattern could be exploited for skill-chaining attacks where the referenced skill has broader or unexpected permissions.

MEDIUM Agent instructed to execute inline code with env var access -10

The skill contains 15+ Python heredoc blocks that the agent is expected to execute. Each block reads MATON_API_KEY from environment and makes HTTP requests. While this is the intended usage pattern, it normalizes the agent executing code that accesses credentials and makes external network calls.

LOW Troubleshooting instructs echoing secrets -8

The troubleshooting section instructs the agent to run 'echo $MATON_API_KEY' which would expose the API key in terminal output, logs, or agent conversation history.

LOW OAuth session tokens exposed in connection responses -10

The connection creation flow returns URLs containing session tokens (connect.maton.ai/?session_token=...) that could be logged in agent conversation history or terminal output, potentially allowing unauthorized OAuth access.

LOW Persistent OAuth delegation to third party -5

The ctrl.maton.ai connection management means Maton maintains persistent OAuth tokens for the user's Acuity account. Even after uninstalling the skill, Maton retains access unless the user explicitly deletes the connection or revokes OAuth from Acuity's side.

INFO Runtime reads sensitive files during install -10

The OpenClaw runtime (not the skill itself) reads .env, .aws/credentials, .profile, .bashrc, and auth-profiles.json during skill installation. This is standard runtime behavior but means sensitive file contents are loaded into the process memory space.

INFO No executable code in repository -5

The skill contains only SKILL.md, _meta.json, LICENSE.txt, and origin.json. No package.json, no scripts, no hooks, no compiled code. All code execution happens via inline examples in SKILL.md that the agent interprets at runtime.

INFO PII handling through third-party proxy -15

Appointment data contains significant PII (full names, email addresses, phone numbers, scheduling patterns). All of this flows through Maton's gateway, creating a secondary data processor that users may not be aware of when they consent to using Acuity Scheduling.