Is google-contacts safe?

https://clawhub.ai/byungkyu/google-contacts

72
CAUTION

This skill is a documentation-only Google Contacts API wrapper that routes all requests through Maton's third-party gateway servers. While it contains no executable code, git hooks, or direct exfiltration mechanisms, the fundamental architecture places a third party in a man-in-the-middle position over highly sensitive personal contact data (names, emails, phones, addresses). The inline Python execution patterns could also be leveraged by prompt injection attacks.

Category Scores

Prompt Injection 70/100 · 30%
Data Exfiltration 55/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 75/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 55/100 · 5%

Findings (8)

HIGH All contact data routed through third-party proxy -30

Every API call goes through gateway.maton.ai rather than directly to people.googleapis.com. The Maton gateway has full visibility into all contact data including names, emails, phone numbers, and addresses. Users must trust Maton's infrastructure and data handling practices with their entire Google Contacts dataset.

HIGH OAuth tokens managed opaquely by third party -15

OAuth authorization flows are handled entirely by Maton (connect.maton.ai). Users cannot inspect what scopes are requested, how tokens are stored, or whether tokens are used for purposes beyond the stated functionality. The Maton API key serves as a master key to all connected Google accounts.

MEDIUM Inline code execution patterns normalized for LLM agent -20

The skill's code examples extensively use inline Python heredoc execution (python <<'EOF'). When injected into an LLM's context, this teaches the agent that executing inline Python code is the expected pattern for this skill, which could be leveraged by prompt injection attacks to execute arbitrary code under the guise of 'using the contacts skill'.

MEDIUM Cross-skill reference may chain installations -10

The skill description references another skill by URL: 'For other third party apps, use the api-gateway skill (https://clawhub.ai/byungkyu/api-gateway)'. This could lead an LLM agent to automatically install additional skills, expanding the attack surface without explicit user consent.

LOW Sensitive file reads during installation -25

During the install phase, .env, .aws/credentials, and OpenClaw config files were read. These appear attributable to the OpenClaw runtime framework rather than the skill itself, but the skill's installation triggers this behavior.

MEDIUM PII exposure via third-party MITM position -45

Google Contacts contain highly sensitive PII — full names, email addresses, phone numbers, physical addresses, birthdays, and organizational affiliations. Routing all of this through a third-party proxy (Maton) creates a significant trust dependency. If Maton's servers are compromised, misconfigured, or malicious, all contact data for all users of this skill is exposed.

INFO No executable code in repository 0

The skill contains only SKILL.md documentation, metadata JSON files, and a LICENSE. No executable scripts, install hooks, git hooks, submodules, or symlinks were found.

INFO Canary files unmodified 0

All honeypot files (fake .env, SSH keys, AWS credentials) remained intact throughout the audit. No evidence of automated credential harvesting.