Is gumroad safe?

All Gumroad API calls are routed through gateway.maton.ai instead of directly to api.gumroad.com. This means the Maton gateway operator has full visibility into every API request and response, including customer emails, sales data, license keys, and OAuth tokens. The user's MATON_API_KEY is sent with every request, and the gateway 'automatically injects your OAuth token', meaning Maton holds and controls the actual Gumroad credentials.

The troubleshooting section instructs the agent to run 'echo $MATON_API_KEY' which would print the secret API key to the console output. If the agent follows this instruction during debugging, the key appears in logs, terminal history, and potentially in LLM context that could be shared.

The connection management endpoints return URLs containing session tokens (e.g., 'https://connect.maton.ai/?session_token=...'). These tokens in API responses could be logged, cached, or exposed through agent context windows.

The skill description includes a directive to use another skill ('For other third party apps, use the api-gateway skill') with a direct URL. This could be used to chain skills together, expanding the attack surface. An agent following this instruction would install/invoke a second skill from the same author.

SKILL.md contains numerous Python heredoc code blocks that an LLM agent may execute directly when asked to interact with Gumroad. While these are legitimate API examples, the pattern of including ready-to-execute code in a prompt-injected document creates risk if the skill content were modified to include malicious commands.

The troubleshooting section provides step-by-step instructions that an agent might follow autonomously when encountering errors, including printing secrets and making additional API calls to Maton's control plane.

The skill contains multiple Python heredoc blocks (python <<'EOF') designed to be copy-pasted into a shell. An LLM agent will likely execute these directly. While the current code appears to make legitimate API calls, this pattern means any future modification to these blocks would be executed with the agent's full privileges.

Package.json is empty, no git hooks, no submodules, no symlinks. The skill is purely documentation/configuration with no executable install-time code.

No network connections, no process spawning, no filesystem changes outside the skill directory during installation. The filesystem events logged are Go package cache reads from the VM baseline, unrelated to this skill.

Even if Maton's gateway is currently benign, the architectural pattern places a third party in a persistent man-in-the-middle position for all e-commerce operations. A compromise of Maton's infrastructure would expose all users' Gumroad data, OAuth tokens, customer lists, and license keys. This is an inherent trust dependency, not a current exploit.

The cross-reference to the api-gateway skill from the same author suggests a pattern where multiple skills from this author expand the agent's network surface area. If both skills are installed, the agent would route traffic for multiple third-party APIs through Maton's gateway.