Is keap safe?

https://clawhub.ai/byungkyu/keap

82
SAFE

The Keap skill is a legitimate CRM API integration that routes all traffic through the Maton gateway proxy (gateway.maton.ai). No prompt injection, hidden code execution, or data exfiltration mechanisms were found. The primary risk is the inherent trust placed in the third-party Maton gateway, which handles both the API key and auto-injected OAuth tokens. Installation monitoring showed no suspicious network activity, no canary file access, and clean clone behavior.

Category Scores

Prompt Injection 78/100 · 30%
Data Exfiltration 80/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 70/100 · 5%

Findings (6)

MEDIUM API key sent to third-party gateway -10

All API calls route through gateway.maton.ai and ctrl.maton.ai, which are third-party proxy services, not Keap's official API (api.infusionsoft.com). The user's MATON_API_KEY is sent as a Bearer token to these third-party domains. While this is the intended design of the Maton gateway service, users should understand their credentials and CRM data flow through a third-party intermediary.

MEDIUM Third-party credential proxy is a trust concentration risk -15

This skill routes all Keap API traffic through Maton's gateway (gateway.maton.ai), which acts as an OAuth token management proxy. Users must trust Maton with both their Maton API key and their Keap OAuth tokens. If the Maton service is compromised, attackers gain access to users' Keap CRM data.

LOW Cross-skill referral to api-gateway -7

The skill description references another skill (https://clawhub.ai/byungkyu/api-gateway) and instructs the agent to use it for other third-party apps, creating a potential skill chaining vector.

LOW Embedded executable Python code blocks -10

The skill contains multiple ready-to-execute Python heredoc code blocks that encourage the agent to run inline Python for API calls. The code is benign but the pattern normalizes arbitrary code execution.

LOW Email sending capability -5

The skill includes a Send Email endpoint that allows the agent to send emails to contacts through the user's Keap account.

LOW Destructive CRM operations available -10

DELETE endpoints for contacts, companies, tags, tasks, and opportunities are documented. A malicious or confused agent could delete business-critical CRM records.