Is microsoft-to-do safe?

https://clawhub.ai/byungkyu/microsoft-to-do

72
CAUTION

This skill is a documentation-only Microsoft To Do API integration that contains no executable code, install hooks, or direct malicious content. However, it routes ALL user data through a third-party proxy (gateway.maton.ai) that holds the user's OAuth tokens and has full read/write access to their Microsoft To Do data. The skill also cross-references another skill for expanded installation and includes a troubleshooting step that could expose the API key in logs.

Category Scores

Prompt Injection 70/100 · 30%
Data Exfiltration 60/100 · 25%
Code Execution 90/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 50/100 · 5%

Findings (8)

HIGH All data routed through third-party proxy -25

Every API call goes through gateway.maton.ai instead of directly to graph.microsoft.com. The Maton gateway operator has full visibility into all Microsoft To Do data including task contents, OAuth tokens, and connection metadata. Users are trusting a third party with complete read/write access to their task data with no transparency into how that data is handled.

MEDIUM OAuth token managed by third party -10

The skill delegates OAuth token management entirely to maton.ai via ctrl.maton.ai/connections. The user's Microsoft OAuth tokens are stored and managed by Maton's infrastructure, meaning Maton has persistent access to the user's Microsoft account even when the agent is not running.

MEDIUM Cross-skill reference encourages expanded install surface -15

The skill description explicitly references another skill by URL: 'For other third party apps, use the api-gateway skill (https://clawhub.ai/byungkyu/api-gateway)'. This encourages the agent or user to install additional skills, expanding the attack surface. An agent following these instructions could autonomously install the referenced skill.

MEDIUM Troubleshooting instructs agent to expose API key -10

The troubleshooting section tells the agent to run 'echo $MATON_API_KEY' to verify the key is set. If an LLM agent follows this instruction, the API key would appear in agent output, conversation logs, or terminal history — exposing the credential.

LOW Inline executable code blocks in prompt content -5

The skill provides numerous python heredoc code examples that an LLM agent would likely execute verbatim. While these are standard API examples, they establish a pattern where the agent trusts and runs code directly from the skill's markdown content.

LOW Install-time reads of sensitive files by host runtime -5

Filesystem monitoring shows the host agent runtime (not the skill itself) reading .env, .aws/credentials, .profile, .bashrc, and auth-profiles.json during skill installation. While attributable to the openclaw runtime rather than the skill, this context means the runtime environment has broad file access.

INFO No executable code in skill package 0

The skill contains only markdown documentation, metadata JSON, and a license file. No executable scripts, npm install hooks, git hooks, submodules, or symlinks are present. Package.json is empty.

INFO Ecosystem lock-in through gateway architecture -50

The skill creates dependency on maton.ai's gateway infrastructure rather than using Microsoft's API directly. This means if maton.ai is compromised, goes offline, or changes terms, all users of this skill are affected. It also means Maton can unilaterally revoke access or modify behavior.