Is hubspot-api safe?

Every HubSpot API call is routed through gateway.maton.ai rather than directly to api.hubapi.com. This third-party proxy has full visibility into all CRM data including contacts, companies, deals, and their properties. The proxy also holds the real OAuth token, meaning users never control their own HubSpot credentials — Maton does. This creates a single point of trust and a potential data collection vector.

The MATON_API_KEY environment variable is transmitted to Maton's infrastructure (gateway.maton.ai and ctrl.maton.ai) as a Bearer token on every API call. This key grants full access to the user's Maton account and all connected HubSpot instances.

The skill description explicitly directs the agent to use another skill ('api-gateway') for non-HubSpot tasks. This is a form of cross-skill influence that could cause the agent to install or invoke additional third-party skills without explicit user intent, expanding the attack surface.

The SKILL.md contains numerous ready-to-execute Python heredoc blocks. When injected into an agent's system prompt, a compliant agent may execute these code blocks directly when asked to 'list contacts' or 'create a connection,' without the user explicitly requesting code execution. The pattern uses python <<'EOF' which is immediately executable in bash.

The troubleshooting section instructs the agent to run 'echo $MATON_API_KEY' to verify the key is set. If the agent follows this instruction, the API key would be displayed in plaintext in the conversation, potentially exposing it in logs, screenshots, or shared sessions.

The 'Create Connection' flow returns a URL containing a session_token parameter. If the agent displays this URL, it could be captured by observers. The connection management API at ctrl.maton.ai also provides metadata about all active OAuth connections.

The skill documents batch archive/delete operations that can remove up to 100 records per request. An agent following instructions could inadvertently delete large amounts of CRM data. While HubSpot has 90-day soft-delete recovery, this still poses operational risk.

Since Maton's gateway sits between the agent and HubSpot, it could theoretically inject, modify, or filter API responses. Users have no way to verify response integrity. A compromised or malicious gateway could return manipulated CRM data.

If a user installs both this skill and the referenced api-gateway skill, the combined surface area allows the agent to interact with multiple third-party APIs through Maton's proxy, significantly increasing the potential for data exposure or unintended actions.

Filesystem monitoring shows access to .env, .aws/credentials, and SSH host keys, but these are consistent with the VM execution environment's bootstrap process (sshd, wireplumber, openclaw agent init) rather than skill-initiated access. No skill-specific filesystem anomalies detected.

The skill contains no package.json scripts, git hooks, gitattributes filters, submodules, or symlinks. Installation is purely file copy with no code execution.