Is constant-contact safe?

https://clawhub.ai/byungkyu/constant-contact

72
CAUTION

This skill is a documentation-only Constant Contact API integration that routes all traffic through a third-party proxy gateway (Maton). While it contains no executable code and showed clean install behavior, the architectural dependency on Maton means all contact data, email content, and OAuth credentials flow through an intermediary. The skill also enables bulk destructive operations (mass deletion, email blasting) that could be weaponized if the agent is compromised.

Category Scores

Prompt Injection 62/100 · 30%
Data Exfiltration 60/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 75/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 55/100 · 5%

Findings (10)

HIGH All traffic routed through third-party proxy gateway -25

Every API call is proxied through gateway.maton.ai rather than going directly to api.cc.email. The gateway operator (Maton) has full visibility into all requests, responses, contact data, email content, and OAuth credentials. Users must trust both Constant Contact AND Maton with their data.

HIGH OAuth token management delegated to third party -15

OAuth connection lifecycle (creation, storage, injection) is entirely managed by ctrl.maton.ai and connect.maton.ai. The user's Constant Contact OAuth tokens are stored and controlled by Maton, not the user. Maton could access the user's Constant Contact account independently.

MEDIUM Cross-skill reference enables chaining -15

The skill description explicitly directs the agent to use another skill (api-gateway) for other third-party apps. This creates a skill chaining vector where installing this skill implicitly encourages installing and using additional skills with broader access.

MEDIUM Inline executable code blocks encourage agent code execution -15

The skill contains numerous Python heredoc and shell code blocks that an LLM agent may execute directly. While these are documentation examples, an agent interpreting the skill could run these code blocks, making network requests to third-party servers with the user's credentials.

MEDIUM Bulk destructive operations accessible to agent -25

The skill documents bulk contact deletion, mass email sending, and campaign scheduling. If an agent is manipulated (via prompt injection from another source), it could delete all contacts, send unauthorized emails to the entire contact list, or schedule spam campaigns.

MEDIUM Network access requirement broadens attack surface -8

The skill explicitly requires network access and an API key environment variable. While appropriate for its stated purpose, this means any agent with this skill active has permission to make outbound HTTP requests, which could be exploited if combined with prompt injection.

LOW Sensitive file reads during install (likely runtime, not skill) -25

Filesystem monitoring detected reads of .env, .aws/credentials, .profile, .bashrc, and OpenClaw config files during the install phase. This appears to be the OpenClaw runtime bootstrapping rather than the skill itself, but the boundary is unclear.

INFO No executable code in skill package -5

The skill contains only markdown documentation, metadata JSON, and a license file. No install scripts, git hooks, submodules, or symlinks were detected. Package.json is empty.

INFO No outbound network activity during install 0

Network monitoring confirmed zero outbound connections during the clone and install phase. The skill does not phone home on installation.

LOW Email sending capability creates phishing/spam risk -20

The skill allows creating and scheduling email campaigns with arbitrary HTML content to contact lists. A manipulated agent could craft phishing emails and send them to all contacts in the user's Constant Contact account.