Is apollo-api safe?

https://clawhub.ai/byungkyu/apollo-api

74
CAUTION

This skill is a documentation-only Apollo.io API integration that routes all requests through Maton's third-party gateway (gateway.maton.ai). It contains no executable files or install hooks, but its SKILL.md includes inline Python/JavaScript code blocks that make authenticated HTTP calls using the user's MATON_API_KEY. The primary risks are credential relay to a third-party service, write operations that could pollute CRM data or trigger email sequences, and a troubleshooting section that instructs echoing the API key to stdout.

Category Scores

Prompt Injection 70/100 · 30%
Data Exfiltration 60/100 · 25%
Code Execution 65/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 65/100 · 5%

Findings (10)

MEDIUM API key relayed to third-party gateway -25

All API calls route the user's MATON_API_KEY as a Bearer token to gateway.maton.ai and ctrl.maton.ai. The skill creates a dependency on Maton's infrastructure as a credential relay. If Maton's gateway is compromised, all Apollo API traffic and credentials are exposed.

MEDIUM Inline executable code blocks in SKILL.md -15

The skill contains multiple Python and JavaScript code blocks that the agent is implicitly expected to execute. These code blocks make HTTP requests to external services using environment credentials. While this is the skill's intended functionality, it means the agent will execute network-calling code from the skill's prompt content.

MEDIUM Troubleshooting instructs echoing API key -15

The troubleshooting section instructs the agent to run 'echo $MATON_API_KEY' to verify the key is set. This could leak the API key to conversation output, logs, or other monitoring systems.

LOW Cross-skill reference in description -15

The skill description references another skill (api-gateway) and suggests using it for 'other third party apps'. This cross-reference could be used to encourage installation of additional skills, expanding the attack surface.

MEDIUM Write operations could pollute CRM or trigger emails -20

The skill exposes write endpoints (create contacts, create accounts, add contacts to email sequences). A manipulated or confused agent could create bogus CRM records or add contacts to automated email campaigns, causing reputational and business harm.

MEDIUM Connection management allows creating/deleting OAuth links -15

The ctrl.maton.ai endpoints allow creating new OAuth connections and deleting existing ones. A manipulated agent could disrupt a user's active integrations by deleting connections.

LOW Multiple executable code patterns in documentation -10

The skill contains executable code examples in Python (urllib, requests) and JavaScript (fetch) that make authenticated HTTP calls. While no standalone executable files exist in the repo, the SKILL.md itself serves as a code execution template.

INFO No install scripts, git hooks, or symlinks 0

The repository contains no package.json with install scripts, no .githooks directory, no .gitattributes filters, no git submodules, and no symlinks. The code execution surface is limited to SKILL.md content.

INFO Runtime reads of sensitive files during install -5

Filesystem monitoring shows the OpenClaw runtime reading .env, .aws/credentials, .profile, and .bashrc during skill installation. These appear to be from the runtime environment rather than the skill itself, but the .aws/credentials read is notable.

INFO All honeypot files intact 0

No canary files (fake .env, SSH keys, AWS credentials) were accessed or modified during the audit.