Is chargebee safe?

https://clawhub.ai/byungkyu/chargebee

74
CAUTION

This skill is a documentation-only Chargebee API integration that routes all billing API traffic through a third-party proxy (maton.ai). It contains no install-time code execution, git hooks, or malicious payloads, and canary files were untouched. However, the proxy architecture means all customer PII and financial data transits through Maton's servers, the troubleshooting section risks leaking API keys to agent output, and the numerous executable code blocks could be run by an LLM agent without adequate user confirmation.

Category Scores

Prompt Injection 72/100 · 30%
Data Exfiltration 60/100 · 25%
Code Execution 75/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 55/100 · 5%

Findings (9)

MEDIUM All billing data routed through third-party proxy -25

Every API call routes through gateway.maton.ai rather than directly to Chargebee. This means customer PII (names, emails), invoices, subscription details, and payment metadata all transit through Maton's servers. Users must trust this intermediary with sensitive financial data.

MEDIUM API key exposure in troubleshooting instructions -15

The troubleshooting section instructs the agent to run 'echo $MATON_API_KEY' which would surface the secret in the agent's output, potentially logging it in conversation history, terminal output, or monitoring systems.

MEDIUM Executable code blocks in agent prompt context -15

The skill contains 15+ Python and bash code blocks with complete executable scripts. When injected into an LLM agent's system prompt, the agent may execute these code snippets directly in response to user requests without adequate confirmation, especially the heredoc-style Python blocks.

LOW Cross-skill reference to api-gateway -8

The skill description explicitly references another skill by URL: 'For other third party apps, use the api-gateway skill (https://clawhub.ai/byungkyu/api-gateway)'. This creates a trust chain and could be used to encourage installation of a related skill that might have different security properties.

LOW Implicit agent behavior directives -5

Notes section contains IMPORTANT directives about how to use curl flags and handle environment variable expansion. While these are legitimate usage notes, they set a pattern of the skill instructing agent behavior, and the boundary between helpful documentation and prompt manipulation is thin.

LOW Inline Python execution patterns -25

Multiple code examples use python <<'EOF' heredoc pattern which is designed for direct shell execution. While these are documentation examples, an LLM agent in a tool-enabled environment would likely execute them verbatim.

INFO Gateway proxy creates single point of compromise -25

The maton.ai gateway architecture means that a compromise of Maton's infrastructure would expose all Chargebee API traffic for all users of this skill. This is an architectural risk inherent to the proxy-based OAuth approach.

INFO Host environment config files accessed during install -5

Filesystem monitoring detected reads of .env, .aws/credentials, and .openclaw config files. These appear to be from the host agent runtime rather than the skill itself, but indicate the install environment exposes sensitive files.

INFO Skill-chaining risk with api-gateway -20

If both this skill and the referenced api-gateway skill are installed, they share the same MATON_API_KEY and proxy infrastructure. A vulnerability in either skill could compromise the other's API traffic across multiple services.