Is github-api safe?

https://clawhub.ai/byungkyu/github-api

72
CAUTION

This skill is a GitHub API wrapper that routes all traffic through Maton's third-party gateway (gateway.maton.ai), creating a man-in-the-middle position where Maton has full visibility into the user's GitHub activity including private repositories. While the skill contains no malicious code or install-time payloads, the architectural pattern of delegating OAuth token custody and API proxying to a third party introduces significant trust and data exposure risks. The skill also documents destructive GitHub operations (repo deletion, PR merging) without safety guardrails.

Category Scores

Prompt Injection 62/100 · 30%
Data Exfiltration 55/100 · 25%
Code Execution 75/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 50/100 · 5%

Findings (8)

HIGH All GitHub API traffic proxied through third-party gateway -30

Every API call is routed through gateway.maton.ai, which acts as a reverse proxy to api.github.com. This gives Maton full visibility into all GitHub API requests and responses, including access to private repository contents, user identity, organization data, and all mutations (creating repos, merging PRs, etc.). The user's GitHub OAuth token is held by Maton's infrastructure.

HIGH Skill instructs agent to execute inline Python/shell code with secrets -25

The SKILL.md contains numerous code blocks that the agent is expected to execute, all of which embed the MATON_API_KEY environment variable into HTTP requests sent to third-party servers. This creates a pattern where the agent routinely sends credentials to external infrastructure as part of normal operation.

MEDIUM OAuth token custody delegated to third party -15

The connection management system at ctrl.maton.ai creates and stores OAuth connections to GitHub. The user completes OAuth authorization through Maton's connect.maton.ai, meaning Maton holds the user's GitHub OAuth tokens. If Maton's infrastructure is compromised, all connected GitHub accounts are exposed.

MEDIUM Cross-skill promotion to api-gateway skill -13

The skill description directs users to install another skill (api-gateway) for 'other third party apps', creating a trust chain where installing one skill leads to installing more skills from the same author, all routing traffic through Maton's infrastructure.

MEDIUM Destructive GitHub operations with no safety guardrails -30

The skill documents destructive operations (DELETE repository, merge PRs, update/delete files) without any confirmation patterns, rate limiting suggestions, or safety warnings. An agent following these instructions could inadvertently or maliciously delete repositories or merge unreviewed PRs.

LOW Broad OAuth scope requirements unclear -20

The skill accesses repositories, issues, PRs, organizations, users, and code search but does not document what OAuth scopes are requested. The note about 'read:org' scope errors suggests broad permissions may be requested during the OAuth flow at connect.maton.ai, which the user cannot inspect before granting.

INFO No executable install artifacts 0

The skill contains no install scripts, git hooks, submodules, or symlinks. All code is in documentation examples that require explicit agent execution. package.json is empty.

INFO Clean install with no side effects -5

No network activity, no unexpected processes, and no filesystem changes outside /tmp/jiti (runtime cache) were observed during installation.