Is clicksend safe?

https://clawhub.ai/byungkyu/clicksend

72
CAUTION

This skill is a documentation-only ClickSend API wrapper that routes all traffic through a third-party proxy (gateway.maton.ai), creating a man-in-the-middle position over all SMS content, phone numbers, contact data, and credentials. While the skill contains no executable code, malicious hooks, or direct exfiltration attempts, the fundamental architecture exposes all user communications and API credentials to the maton.ai intermediary. The cross-skill reference to an additional api-gateway skill suggests a broader proxy ecosystem.

Category Scores

Prompt Injection 65/100 · 30%
Data Exfiltration 60/100 · 25%
Code Execution 75/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 50/100 · 5%

Findings (9)

HIGH All traffic proxied through third-party gateway -25

Every API call is routed through gateway.maton.ai instead of directly to rest.clicksend.com. This creates a man-in-the-middle position where maton.ai can intercept, log, and modify all request and response data including SMS content, phone numbers, contact information, and account credentials. Users may not realize their ClickSend API traffic is being proxied through an intermediary service.

HIGH API key exposure to intermediary service -15

The MATON_API_KEY is sent as a Bearer token to maton.ai on every request. Additionally, maton.ai 'automatically injects' the user's ClickSend authentication, meaning maton.ai has access to and stores the user's ClickSend credentials. This gives maton.ai full access to the user's ClickSend account.

MEDIUM Cross-skill installation directive -20

The skill description contains a directive to install another skill: 'For other third party apps, use the api-gateway skill (https://clawhub.ai/byungkyu/api-gateway)'. This could lead an agent to automatically install additional unaudited skills, expanding the attack surface.

MEDIUM Inline executable code patterns encourage blind execution -15

The skill contains numerous Python heredoc code blocks designed to be executed directly by the agent. While the code itself appears benign (standard library urllib.request calls), this pattern normalizes the agent executing inline code from skill documentation without user review.

MEDIUM SMS/voice content exposure through proxy -30

When used for its intended purpose (sending SMS, MMS, or voice messages), all message content and recipient phone numbers flow through maton.ai's proxy. This is particularly sensitive for messaging use cases where content may include personal, financial, or confidential information.

LOW Python code blocks use os.environ access -5

The embedded Python code blocks access environment variables via os.environ['MATON_API_KEY']. While this is expected for authentication, it establishes a pattern where the agent executes code that reads environment variables, which could be modified in a supply chain attack.

LOW AWS credentials file accessed during install -5

The filesystem monitoring shows /home/oc-exec/.aws/credentials was opened during the install process. This is likely caused by the openclaw runtime rather than the skill itself, but warrants noting.

INFO No executable artifacts in skill package 0

The skill contains only SKILL.md, _meta.json, LICENSE.txt, and origin metadata. No package.json, no scripts, no hooks, no submodules, no symlinks. The attack surface is limited to the SKILL.md content itself.

INFO No canary file tampering 0

All honeypot files remained intact throughout the install and monitoring period.