Oathe Security Badge

Is byungkyu/kit safe?

https://github.com/openclaw/skills/tree/main/skills/byungkyu/kit

85
SAFE

The byungkyu/kit skill is a technically clean Kit (ConvertKit) API integration with no prompt injection, no hidden commands, no unauthorized filesystem access during install, and all canary honeypot files remained fully intact. The primary risk is architectural and disclosed: every API call and OAuth token flows through Maton's third-party gateway infrastructure (gateway.maton.ai, ctrl.maton.ai), giving Maton implicit visibility into the user's entire email marketing dataset and creating a supply-chain trust dependency that users should consciously accept before installation.

Category Scores

Prompt Injection 92/100 · 30%
Data Exfiltration 60/100 · 25%
Code Execution 95/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 80/100 · 5%

Findings (5)

MEDIUM All Kit API traffic proxied through Maton's third-party gateway -25

Every API call made via this skill routes through gateway.maton.ai, which acts as a man-in-the-middle proxy between the agent and api.kit.com. Maton has full visibility into subscriber lists, email addresses, broadcast content, custom fields, purchase records, and webhook configurations. The skill also requires OAuth connections to be managed via ctrl.maton.ai, meaning Maton stores live Kit OAuth tokens on its infrastructure. This architecture is fully disclosed in the skill, but it represents a significant supply-chain trust requirement: the user must unconditionally trust Maton's operations, security posture, and data handling.

LOW MATON_API_KEY authenticates to Maton platform for all connections, not just Kit -15

The MATON_API_KEY environment variable is sent in the Authorization header of every request to both gateway.maton.ai and ctrl.maton.ai. This key grants access to all apps and connections configured on the user's Maton account, not only Kit. An agent with this skill active and the key in env will transmit it broadly.

LOW Cross-skill referral URL injected into agent system context -8

The SKILL.md description field contains a hyperlink directing the agent to another Maton-authored skill: 'For other third party apps, use the api-gateway skill (https://clawhub.ai/byungkyu/api-gateway).' This text is injected directly into the agent's system prompt. While not a classic injection attack, it soft-nudges the agent to recommend or adopt additional Maton-controlled infrastructure without explicit user action, expanding Maton's footprint.

INFO Managed OAuth model creates single-point supply chain dependency on Maton -20

Maton's gateway injects Kit OAuth tokens into proxied requests without the user ever handling them directly. This means a breach, insider threat, or malicious update to Maton's service would grant full unauthorized access to the user's Kit account — including the ability to delete subscribers, send broadcasts, and register webhooks. Because the token never passes through the user's agent, standard credential rotation hygiene does not mitigate this risk.

INFO Numerous inline Python blocks are agent-executable on first prompt match -5

SKILL.md contains over a dozen Python heredoc examples (python <<'EOF' ... EOF) that access os.environ and make live HTTP requests. These are documentation patterns intended to be run by the agent verbatim when the user asks to perform the described operation. Any future poisoning of these examples (e.g., via a malicious skill update) would be executed directly. The current content is benign.