Is google-drive safe?

https://clawhub.ai/byungkyu/google-drive

72
CAUTION

This skill is a documentation-only Google Drive integration that routes all API traffic through a third-party proxy service (maton.ai). While the skill package itself contains no executable code, git hooks, or malicious artifacts, the fundamental architecture creates a persistent man-in-the-middle position where Maton holds server-side OAuth tokens and sees all Drive data in transit. The cross-skill reference to api-gateway encourages expanding this proxy pattern to additional services.

Category Scores

Prompt Injection 65/100 · 30%
Data Exfiltration 55/100 · 25%
Code Execution 90/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 55/100 · 5%

Findings (9)

HIGH All data routed through third-party proxy -30

Every API call — file listings, downloads, uploads, permission changes — is proxied through gateway.maton.ai rather than going directly to Google's APIs. The Maton gateway holds a persistent man-in-the-middle position on all Drive data. The user's OAuth token is managed server-side by Maton, meaning Maton has persistent access to the user's Google Drive even when the skill is not in use.

HIGH API key sent to third-party service -15

The MATON_API_KEY is transmitted as a Bearer token to maton.ai endpoints, not to Google directly. This key grants access to connection management (create, list, delete OAuth connections) and all proxied API calls. Compromise of this single key exposes all connected Google Drive data.

MEDIUM Cross-skill chaining reference -20

The skill description explicitly references another skill by URL: 'For other third party apps, use the api-gateway skill (https://clawhub.ai/byungkyu/api-gateway)'. This trains the agent to install and invoke additional skills, expanding the attack surface. An agent following this instruction would route traffic for arbitrary third-party services through the same proxy infrastructure.

MEDIUM Executable code templates encourage direct execution -15

The skill provides numerous inline Python heredoc blocks (python <<'EOF') designed to be copy-pasted and executed. An LLM agent encountering these templates is likely to execute them directly, establishing the pattern of running code that sends credentials to third-party endpoints.

MEDIUM Persistent OAuth delegation to third party -25

The OAuth flow is managed entirely by Maton. Users authorize Google Drive access via connect.maton.ai, and Maton retains the OAuth tokens server-side. This means Maton maintains persistent access to the user's Google Drive independent of whether the skill or agent is running. The user cannot revoke access by simply removing the skill — they must also revoke the OAuth grant in their Google account settings.

MEDIUM File download capability through proxy -20

The skill documents the ability to download arbitrary file contents (GET /files/{fileId}?alt=media) through the Maton proxy. An agent using this skill could be instructed to download sensitive documents, and all content would transit through the third-party proxy.

LOW OpenClaw runtime reads sensitive files during install -5

During installation, the OpenClaw runtime (not the skill itself) accessed .env, .aws/credentials, and various config files. While this is runtime behavior rather than skill behavior, it demonstrates that the execution environment exposes sensitive files.

INFO No executable code in skill package 0

The skill contains only SKILL.md (documentation), _meta.json, LICENSE.txt, and origin metadata. No executable scripts, install hooks, git hooks, submodules, or symlinks were found. The package.json is empty.

INFO Canary files untouched 0

All honeypot files (fake .env, SSH keys, AWS credentials) remained intact. No evidence of credential harvesting during installation.