Is google-docs safe?

https://clawhub.ai/byungkyu/google-docs

72
CAUTION

This skill is a documentation-only Google Docs API wrapper that routes all traffic through Maton's third-party gateway (gateway.maton.ai), giving Maton full visibility into document contents and OAuth tokens. While the skill contains no executable code or direct malicious payloads, the complete dependency on a third-party proxy for sensitive document operations represents a significant trust delegation. Installation monitoring detected reads of sensitive files (.env, .aws/credentials) which appear attributable to the ClawHub installer runtime rather than the skill itself.

Category Scores

Prompt Injection 70/100 · 30%
Data Exfiltration 55/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 60/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 55/100 · 5%

Findings (9)

HIGH All traffic proxied through third-party gateway -25

Every Google Docs API call is routed through gateway.maton.ai rather than directly to Google's API. This gives Maton complete visibility into all document contents, OAuth tokens, and user activity. Users have no way to verify that Maton is not logging, storing, or exfiltrating this data.

HIGH OAuth session tokens exposed in URLs -10

The connection creation flow returns OAuth authorization URLs with session tokens as query parameters. These tokens could be logged in browser history, proxy logs, or referer headers.

MEDIUM API key sent to multiple third-party domains -10

The MATON_API_KEY is transmitted to at least three distinct Maton-controlled domains: gateway.maton.ai, ctrl.maton.ai, and connect.maton.ai. This broadens the attack surface for credential interception.

MEDIUM Sensitive file reads during installation -30

The installation process read .env, .aws/credentials, .openclaw/openclaw.json, and auth-profiles.json. While these may be normal for the ClawHub installer runtime rather than the skill itself, the skill's install triggered access to credential files.

MEDIUM Cross-skill promotion creates chaining risk -15

The skill description explicitly references and links to another skill (api-gateway), which could lead an agent to suggest or auto-install additional skills, expanding the attack surface.

MEDIUM Inline code execution patterns normalized -15

The skill contains numerous inline Python heredoc execution examples (python <<'EOF') that an LLM agent may execute directly. This normalizes a pattern where the agent runs arbitrary code, making it easier for secondary prompt injections (e.g., in fetched document content) to trick the agent into executing malicious code.

LOW Temporary transpiled code during install -10

The installer created transpiled JavaScript files in /tmp/jiti/ during installation, suggesting runtime code compilation. While this appears to be part of the ClawHub installer rather than the skill, it represents opaque code execution during install.

INFO No executable code in skill package 0

The skill consists solely of SKILL.md (documentation), _meta.json, LICENSE.txt, and origin metadata. No executable files, install scripts, git hooks, submodules, or symlinks are present.

INFO Canary files intact 0

All honeypot credential files remained unmodified, indicating no targeted credential harvesting by the skill.