Is google-play safe?

https://clawhub.ai/byungkyu/google-play

78
CAUTION

This skill is a documentation-only package that proxies Google Play Developer API calls through Maton's third-party gateway infrastructure. It contains no executable code and exhibited clean installation behavior. However, it routes all API traffic (including OAuth tokens) through Maton's servers, creating a significant trust dependency. The skill also cross-promotes another skill and exposes destructive API operations (delete products, cancel subscriptions, issue refunds) that could be abused if the agent is manipulated.

Category Scores

Prompt Injection 72/100 · 30%
Data Exfiltration 68/100 · 25%
Code Execution 90/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 55/100 · 5%

Findings (8)

MEDIUM All API traffic routed through third-party proxy -20

Every Google Play API request is proxied through gateway.maton.ai, giving the third party (Maton) complete visibility into the user's Google Play Developer account data, including app listings, subscription details, purchase tokens, and review content. This is a design choice, not a hidden behavior, but it creates a significant trust dependency.

MEDIUM OAuth session tokens exposed in URLs -12

When creating a connection, the response includes a URL with an embedded session_token query parameter. If the agent logs this URL or it appears in terminal history, the OAuth session token could be leaked.

MEDIUM Cross-skill promotion in description -13

The skill description includes a direct link to another skill ('For other third party apps, use the api-gateway skill (https://clawhub.ai/byungkyu/api-gateway)'), which could lead an agent to suggest installing additional skills without explicit user request, expanding the attack surface.

LOW Inline executable code blocks normalize shell execution -15

The skill uses Python heredoc patterns (python <<'EOF') throughout its examples, which when injected into an agent's context, normalizes the pattern of executing arbitrary code blocks. While these specific examples are benign, the pattern could be leveraged in prompt injection chains.

LOW Broad destructive API surface exposed -25

The skill documents destructive operations (delete in-app products, cancel subscriptions, issue refunds, delete edits) with simple API calls. If an agent is tricked via prompt injection, it could execute these destructive actions against the user's Google Play account.

INFO Part of broader Maton skill ecosystem -20

This skill is one of potentially many Maton-powered API gateway skills. Each additional skill installed increases the amount of data flowing through Maton's proxy infrastructure and the potential blast radius if Maton's systems are compromised.

INFO No executable code in skill package -10

The skill contains only markdown documentation, metadata JSON, and a license file. No scripts, hooks, or executable code that would run during installation or at runtime.

INFO Clean installation with no suspicious activity -5

Installation completed without any network connections, process executions, or filesystem changes outside the skill directory. The /tmp/jiti/ files are from the ClawdBot runtime, not the skill.