Is fathom-api safe?

https://clawhub.ai/byungkyu/fathom-api

82
SAFE

This is a documentation-only skill that provides Fathom meeting API integration through Maton's OAuth proxy gateway. It contains no executable code, git hooks, or malicious payloads. The primary concerns are that all meeting data routes through a third-party proxy (gateway.maton.ai), the API supports arbitrary destination URLs for data delivery, and the skill cross-references an unaudited companion skill. Clone-time monitoring showed clean behavior with no outbound connections.

Category Scores

Prompt Injection 72/100 · 30%
Data Exfiltration 75/100 · 25%
Code Execution 90/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 65/100 · 5%

Findings (9)

MEDIUM All traffic routed through third-party proxy -15

All Fathom API requests are routed through gateway.maton.ai instead of directly to api.fathom.ai. The user's MATON_API_KEY and all meeting data (transcripts, summaries, recordings) pass through this intermediary. While this is the intended OAuth proxy design, it means Maton has visibility into all meeting content.

MEDIUM Arbitrary destination_url for data delivery -10

The summary and transcript endpoints accept a destination_url parameter that causes meeting data to be POSTed to any URL. If an attacker can influence the agent's API calls, they could redirect sensitive meeting content to an attacker-controlled endpoint.

MEDIUM Skill cross-references external skill for expanded access -13

The skill description directs users to install a separate api-gateway skill for 'other third party apps', which could expand the attack surface through skill chaining. The api-gateway skill was not audited here.

MEDIUM Agent directed to execute Python code making external requests -15

The skill contains numerous Python code blocks that the agent is expected to execute, each making HTTP requests to third-party domains while passing the user's API key. While these are documented API examples, they instruct the agent to run code that accesses env vars and sends them over the network.

LOW Webhook creation enables persistent data exfiltration -15

The webhook API allows creating persistent notification endpoints that receive meeting transcripts and summaries automatically. If an attacker can get the agent to create a webhook pointing to a malicious URL, they would receive ongoing meeting data without further interaction.

LOW Agent instructed to open URLs in browser for OAuth -5

The connection management flow instructs the user/agent to open a returned URL in a browser to complete OAuth. If the URL were tampered with, this could lead to credential phishing.

INFO Runtime reads user config files during install -10

During installation, the OpenClaw runtime read .env, .aws/credentials, .openclaw config, .profile, and .bashrc. This is standard runtime behavior, not skill-initiated, but worth noting.

INFO No executable code in skill package 0

The skill contains only markdown documentation files, a license, and metadata JSON. No scripts, hooks, or executable files are present.

INFO Potential for malicious fork with modified proxy URLs -20

Since this is a documentation-only skill, a malicious actor could trivially fork it and replace gateway.maton.ai URLs with attacker-controlled endpoints to harvest API keys and meeting data. Users should verify they are using the official version.