Is microsoft-excel safe?

https://clawhub.ai/byungkyu/microsoft-excel

72
CAUTION

This skill is a documentation-only API integration that proxies all Microsoft Excel/Graph API calls through Maton's third-party infrastructure (gateway.maton.ai). While it contains no executable code, hidden instructions, or malicious behavior during installation, the fundamental architecture routes all user data — including OAuth tokens and spreadsheet contents — through a third-party proxy, creating a significant trust dependency. The skill also cross-promotes another skill from the same author, which could expand the attack surface.

Category Scores

Prompt Injection 70/100 · 30%
Data Exfiltration 60/100 · 25%
Code Execution 90/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 45/100 · 5%

Findings (8)

HIGH All data routed through third-party proxy -25

Every API call is proxied through gateway.maton.ai instead of going directly to graph.microsoft.com. The proxy operator (Maton) has full visibility into all requests and responses, including spreadsheet contents, file listings, and OAuth tokens. Users must trust this third party with complete access to their Microsoft account data.

HIGH OAuth tokens managed by third-party infrastructure -15

The OAuth connection flow is entirely managed through ctrl.maton.ai and connect.maton.ai. Users authorize Microsoft Graph access via a third-party session, giving Maton delegated access to their Microsoft account. The user's OAuth tokens are stored and injected by Maton's servers, not locally.

MEDIUM Cross-skill promotion and chaining -15

The skill description explicitly promotes another skill (api-gateway) by ClawHub URL: 'For other third party apps, use the api-gateway skill (https://clawhub.ai/byungkyu/api-gateway)'. This could lead an agent to install additional skills without explicit user consent, expanding the attack surface.

MEDIUM Agent instructed to execute inline code blocks -15

The skill provides Python heredoc code examples that agents are expected to execute directly via shell. While the code itself targets the intended API, this pattern normalizes the agent executing arbitrary code from skill documentation, which could be exploited in a modified version.

MEDIUM Broad OneDrive access via delegated permissions -30

The skill provides endpoints to list all root files, search across the entire drive, upload files, and read arbitrary ranges. An agent following these instructions has effectively full read/write access to the user's OneDrive, mediated through a third party.

LOW Environment variable access requirement -5

The skill requires MATON_API_KEY to be set as an environment variable and instructs the agent to use it in API calls. While declared in metadata, this normalizes the agent accessing environment variables which could contain sensitive data.

INFO Clean installation with no anomalous behavior -5

The skill installed cleanly with no outbound network connections, no unexpected process execution, and no filesystem modifications outside expected paths. All observed filesystem events are attributable to the OpenClaw runtime, not the skill.

INFO No executable code in skill repository -10

The skill contains only documentation (SKILL.md), metadata (_meta.json), a license (LICENSE.txt), and registry metadata (.clawhub/origin.json). No JavaScript, Python, shell scripts, npm package.json, git hooks, submodules, or symlinks are present.