Is google-search-console safe?

https://clawhub.ai/byungkyu/google-search-console

74
CAUTION

This skill is a documentation-only Google Search Console integration that proxies all API traffic through a third-party service (Maton). It contains no executable code or malicious patterns, but it routes sensitive search analytics data and OAuth credentials through third-party infrastructure, creating a significant trust dependency. The cross-skill reference to 'api-gateway' introduces a skill-chaining concern.

Category Scores

Prompt Injection 72/100 · 30%
Data Exfiltration 65/100 · 25%
Code Execution 80/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 55/100 · 5%

Findings (8)

MEDIUM Cross-skill installation suggestion -15

The skill description explicitly directs the agent to use another skill ('api-gateway' at https://clawhub.ai/byungkyu/api-gateway) for other third-party apps. This creates a skill-chaining vector where installing one skill leads to installing others from the same author, expanding the attack surface.

MEDIUM Inline executable code examples as agent instructions -13

The SKILL.md contains numerous Python heredoc and JavaScript code blocks that the agent is expected to execute directly in the user's shell. While these are presented as 'examples', in an agent context they function as executable instructions. The agent will run these Python scripts, which make HTTP requests and handle credentials.

MEDIUM All API traffic routed through third-party proxy -20

Every Google Search Console API call is proxied through gateway.maton.ai rather than going directly to Google's API. This gives the Maton organization full visibility into all search analytics queries, results, and site data. The user's MATON_API_KEY is sent with every request.

MEDIUM Persistent OAuth token managed by third party -15

The skill's connection management creates persistent OAuth connections on ctrl.maton.ai. These connections persist beyond individual API calls and give the third-party service ongoing access to the user's Google Search Console data. While a delete endpoint exists, the persistence model introduces ongoing risk.

LOW Sensitive file reads during runtime initialization 0

Filesystem monitoring detected reads of .env, .aws/credentials, and OpenClaw config files during the audit. These appear to be from the OpenClaw agent runtime rather than the skill itself, but the coincidence of timing warrants noting.

LOW No executable artifacts but agent-executable code patterns -20

The skill contains no standalone executable files, install scripts, git hooks, or submodules. However, the SKILL.md is densely packed with executable code snippets (Python, JavaScript) that an LLM agent would run in the user's environment. This is the intended design pattern but increases the execution surface.

LOW Clean installation with only runtime artifacts -15

The /tmp/jiti/ cache files and /tmp/openclaw-1000/ directory created during monitoring are standard OpenClaw runtime artifacts, not skill-initiated activity. No network connections, no process spawning, no filesystem changes outside expected paths.

INFO Third-party trust dependency with broad data access -45

This skill is functionally a client for Maton's API gateway service. Users must trust Maton with: (1) their API key, (2) their Google OAuth tokens, (3) all search analytics data flowing through the proxy. The skill is only as safe as the third-party service it depends on. If Maton's infrastructure were compromised or turned malicious, all connected users' Google Search Console data would be exposed.