Is google-merchant safe?

https://clawhub.ai/byungkyu/google-merchant

72
CAUTION

This skill is a documentation-only API wrapper that proxies all Google Merchant Center operations through a third-party service (maton.ai). It contains no executable code, git hooks, or submodules, and showed clean clone behavior. However, the fundamental architecture routes all user credentials and business data through Maton's infrastructure, which has full read/write access to the user's Merchant Center account. The troubleshooting section risks exposing API keys in agent output.

Category Scores

Prompt Injection 68/100 · 30%
Data Exfiltration 55/100 · 25%
Code Execution 75/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 55/100 · 5%

Findings (9)

HIGH All API traffic proxied through third-party gateway -30

Every API call routes through gateway.maton.ai and ctrl.maton.ai. The user's MATON_API_KEY and all Google Merchant Center data (products, pricing, inventory, business info, reports) transit through Maton's infrastructure. This third-party proxy has full read/write access to the user's Merchant Center account via the OAuth token it manages.

MEDIUM Troubleshooting instructs echoing API key -15

The troubleshooting section explicitly instructs the agent to run 'echo $MATON_API_KEY' to verify the key is set. When an LLM agent follows this instruction, the secret value may be exposed in conversation output, logs, or terminal history.

MEDIUM Cross-skill reference to api-gateway -12

The skill description references 'the api-gateway skill (https://clawhub.ai/byungkyu/api-gateway)' for other third-party apps. This cross-reference could lead an agent to install additional skills from the same author, expanding the attack surface. The shared MATON_API_KEY across skills means compromising one affects all.

MEDIUM Inline executable code blocks guide agent to run shell commands -5

The skill contains numerous Python heredoc blocks (python <<'EOF') designed to be copy-pasted and executed by the agent. While the code itself connects to legitimate-looking endpoints, this pattern trains the agent to execute arbitrary code from skill documentation without additional user confirmation.

LOW OAuth session tokens in connection URLs -10

The connection creation flow returns URLs containing session tokens (connect.maton.ai/?session_token=...). If the agent displays these in output, the session tokens could be exposed to unauthorized parties.

LOW Credential sent to third-party on every request -5

The MATON_API_KEY is transmitted to maton.ai servers on every single API call as a Bearer token. If maton.ai is compromised or malicious, all API keys are exposed.

INFO Runtime reads sensitive user files during install -10

The ClawdBot runtime (not the skill itself) reads .env, .aws/credentials, .profile, and .bashrc during the installation process. This is standard runtime behavior but notable as it occurs in the context of installing this skill.

INFO Shared ecosystem API key increases blast radius -20

The skill is part of a broader Maton ecosystem where multiple skills (google-merchant, api-gateway, potentially others) share the same MATON_API_KEY. Compromising the key through any one skill grants access to all connected services.

INFO Write access to Merchant Center via proxy -25

The skill provides full CRUD operations on the user's Google Merchant Center: inserting/deleting products, modifying inventory, creating promotions, and managing data sources. A malicious proxy could silently alter product listings.