Is jotform safe?

https://clawhub.ai/byungkyu/jotform

72
CAUTION

This JotForm skill is a documentation-only API integration that routes all JotForm API traffic through a third-party gateway (gateway.maton.ai) rather than connecting directly to JotForm's API. While no malicious code, install hooks, or credential exfiltration were detected, the man-in-the-middle proxy architecture means the gateway operator has full visibility into all form data and submissions, which may contain sensitive PII. The skill also provides webhook creation capabilities that could be abused to redirect form submission data to attacker-controlled endpoints.

Category Scores

Prompt Injection 70/100 · 30%
Data Exfiltration 55/100 · 25%
Code Execution 75/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 55/100 · 5%

Findings (10)

HIGH All API traffic routed through third-party proxy -30

Every JotForm API call is proxied through gateway.maton.ai rather than going directly to api.jotform.com. The gateway operator (Maton) has full visibility into all requests and responses, including form submissions that may contain PII such as names, emails, phone numbers, and file uploads. The user's JotForm OAuth token is also held by the gateway.

MEDIUM Executable code blocks designed for agent execution -15

SKILL.md contains 10+ Python heredoc code blocks (python <<'EOF') that an LLM agent would naturally execute. While this is the skill's intended functionality, it means the skill author controls code that runs on the user's machine with access to environment variables.

MEDIUM Cross-promotion of another skill by URL -10

The skill description promotes another skill (api-gateway) with a direct ClawHub URL, potentially encouraging the agent or user to install additional skills that route more API traffic through the same third-party proxy.

MEDIUM Session tokens exposed in connection URLs -10

The connection creation flow returns OAuth authorization URLs containing session tokens. These tokens could be leaked through agent output, logs, or browser history.

LOW Troubleshooting instructs echoing API key -5

The troubleshooting section tells the agent to run 'echo $MATON_API_KEY' to verify the key is set. If an agent follows this instruction, the API key will appear in the conversation output visible to anyone viewing the session.

MEDIUM Webhook creation enables data redirection -25

The skill documents webhook creation endpoints. A malicious or compromised agent could be instructed to register attacker-controlled webhook URLs on user forms, causing all future form submissions to be forwarded to an external server.

LOW Delete operations available without confirmation patterns -5

The skill documents destructive operations (DELETE form, DELETE submission, DELETE connection) without suggesting confirmation patterns. An agent following these instructions could irreversibly delete user data.

INFO Runtime accesses sensitive files during initialization -10

The OpenClaw runtime (not the skill itself) reads .env, .aws/credentials, .profile, and .bashrc during initialization. This is standard runtime behavior but means these sensitive files are accessible in the execution environment.

INFO No malicious install scripts or hooks 0

The skill contains no package.json, no npm lifecycle scripts, no git hooks, no submodules, and no symlinks. Installation is clean.

INFO Canary files untouched 0

All honeypot files remained intact, confirming no automated credential exfiltration during install or runtime.