Is attio-api safe?
https://clawhub.ai/byungkyu/attio-api
This skill is a markdown-only Attio CRM integration that routes all API traffic through a third-party gateway (maton.ai) rather than directly to Attio. While it contains no executable code, install hooks, or malicious payloads, the architecture means all CRM data and OAuth tokens pass through Maton's infrastructure, creating a significant trust dependency. The troubleshooting section also instructs echoing API keys to stdout, and the skill cross-references another skill from the same author, suggesting an ecosystem of proxy-based integrations.
Category Scores
Findings (10)
HIGH All CRM data routed through third-party proxy gateway -25 ▶
Every API call goes through gateway.maton.ai instead of directly to api.attio.com. This means a third party (Maton) sees all CRM data in transit including contacts, companies, tasks, and notes. Users consent to Attio having their data, but this adds an additional party to the data flow that users may not be aware of.
HIGH Separate third-party control plane manages OAuth connections -10 ▶
Connection lifecycle (create, list, delete) is managed through ctrl.maton.ai, a separate endpoint from the data gateway. This gives Maton infrastructure full control over OAuth token management, meaning they can revoke, inspect, or use tokens independently.
MEDIUM Troubleshooting instructs echoing API key to stdout -7 ▶
The troubleshooting section tells the agent to run 'echo $MATON_API_KEY' which would print the secret to stdout. In an agent context, this could end up in logs, chat history, or other persistent storage where it could be leaked.
MEDIUM Embedded executable code blocks encourage agent to run Python with credentials -15 ▶
The skill contains numerous Python code blocks using heredoc syntax (python <<'EOF') that an LLM agent will be instructed to execute. These blocks send the MATON_API_KEY to external endpoints. While the endpoints appear legitimate, this pattern trains the agent to run code that sends credentials to third-party infrastructure.
MEDIUM Cross-skill referral in description frontmatter -13 ▶
The skill description references another skill (api-gateway) by URL, suggesting the agent install or use it. This creates a chain-loading pattern where installing one skill leads to another, potentially expanding the attack surface.
LOW Sensitive files accessed during installation -22 ▶
Filesystem monitoring detected reads of .env, .aws/credentials, .openclaw/openclaw.json, and auth-profiles.json during the install phase. These appear to be from the OpenClaw runtime environment rather than the skill itself, but the skill's installation triggered this activity.
INFO No executable code in skill package -10 ▶
The skill contains only markdown (SKILL.md), metadata JSON files, and a LICENSE. No package.json with install scripts, no git hooks, no executable files, no symlinks. Code examples in SKILL.md are documentation, not auto-executed.
INFO All canary files intact 0 ▶
No honeypot files (.env, SSH keys, AWS credentials) were accessed or modified by the skill itself.
MEDIUM Third-party man-in-the-middle on all CRM operations -25 ▶
When this skill is active, an agent performing CRM operations sends all data through Maton's infrastructure. A sophisticated attacker controlling maton.ai could harvest CRM data, modify records silently, or use OAuth tokens to access the user's Attio workspace directly. Even if Maton is legitimate, this architecture creates a single point of compromise for all CRM data.
LOW Skill chaining could expand third-party access -15 ▶
The cross-referral to api-gateway skill suggests this is part of a family of skills that all route through maton.ai. Combined, these could give a single third party proxy access to multiple SaaS platforms simultaneously.