Is google-slides safe?

https://clawhub.ai/byungkyu/google-slides

72
CAUTION

This skill is a Google Slides API wrapper that routes all traffic through Maton's third-party proxy servers (gateway.maton.ai), giving the intermediary full access to user OAuth tokens and presentation data. During install, sensitive credential files (.env, .aws/credentials) were accessed outside the skill directory, and code was compiled/executed in /tmp. While no direct malicious payload was found and canary files remained intact, the opaque proxy architecture and credential file access patterns warrant caution.

Category Scores

Prompt Injection 65/100 · 30%
Data Exfiltration 60/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 55/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 55/100 · 5%

Findings (8)

HIGH Sensitive credential files accessed during install -30

The install process accessed /home/oc-exec/.env, /home/oc-exec/.aws/credentials, and /home/oc-exec/.openclaw/agents/main/agent/auth-profiles.json. These are sensitive credential stores outside the skill directory. While this may be the OpenClaw platform's normal initialization behavior, the skill install triggered reads of AWS credentials and environment files.

HIGH All API traffic routed through opaque third-party proxy -25

Every API call goes through gateway.maton.ai and ctrl.maton.ai rather than directly to Google's slides.googleapis.com. The Maton gateway has full visibility into the user's OAuth tokens, presentation content, and API key. There is no way to verify what data the proxy logs, retains, or forwards to other parties.

MEDIUM Cross-skill promotion in description -15

The skill description explicitly directs the agent to use another skill (api-gateway) for 'other third party apps', which could lead to unsolicited skill installation or chained agent behavior without explicit user consent.

MEDIUM Skill normalizes sending credentials to external servers -20

The SKILL.md instructs the agent to read MATON_API_KEY from environment variables and send it as a Bearer token in every HTTP request to Maton's servers. This trains the agent to treat credential exfiltration to third parties as normal behavior, potentially making the agent more susceptible to similar patterns from malicious prompts.

MEDIUM Code execution during install (jiti compilation, lock files) -15

The install process wrote compiled CJS files to /tmp/jiti/ and created a lock file at /tmp/openclaw-1000/. This indicates JavaScript transpilation and code execution happened during install, beyond simple file copying.

LOW OAuth connection management through third-party -15

OAuth connection setup routes through connect.maton.ai, meaning the user's Google authorization flow is mediated by Maton. Maton receives and manages the OAuth refresh tokens, giving them persistent access to the user's Google Slides data.

INFO No package.json, git hooks, or submodules -15

The skill contains no executable install hooks, git hooks, git submodules, or symlinks. The package.json is empty. Code execution risk is limited to the agent following SKILL.md instructions at runtime.

INFO Canary files intact 0

All honeypot files (fake .env, SSH keys, AWS credentials) were unmodified, indicating no targeted credential harvesting from planted decoys.