Is one-drive safe?

https://clawhub.ai/byungkyu/one-drive

72
CAUTION

This skill is a legitimate OneDrive/Google Contacts API integration that routes all cloud data through Maton's third-party proxy gateway. The primary risk is the complete trust delegation to Maton's infrastructure — they hold OAuth tokens and see all data in transit. An undeclared bundled google-contacts skill expands scope beyond what users expect. No malicious code or active exfiltration was detected, but the architectural design creates significant data exposure to a third party.

Category Scores

Prompt Injection 65/100 · 30%
Data Exfiltration 60/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 55/100 · 5%

Findings (7)

HIGH All data routed through third-party proxy (Maton) -25

Every API call to OneDrive and Google Contacts is proxied through gateway.maton.ai. Maton's servers see all file contents, contact details, and metadata in plaintext. Users must fully trust Maton's infrastructure security, data handling policies, and employee access controls. There is no end-to-end encryption between the agent and Microsoft/Google.

HIGH Persistent OAuth token access via Maton API key -15

The MATON_API_KEY grants Maton persistent delegated access to the user's Microsoft and Google accounts. Maton holds the actual OAuth tokens server-side and injects them automatically. Users cannot revoke Maton's access without deleting the connection through Maton's own API.

MEDIUM Undeclared bundled skill (google-contacts) -20

The repository slug is 'one-drive' but the installation includes a second complete skill (google-contacts) with its own SKILL.md. Users installing 'one-drive' unknowingly get Google Contacts API access injected into their agent's context, expanding the attack surface and data access beyond what was consented to.

MEDIUM Cross-skill reference to unaudited api-gateway skill -10

The skill description directs users to install another skill (api-gateway) from the same author for 'other third party apps'. This creates a trust chain where installing one skill encourages installing additional unaudited skills with potentially broader access.

MEDIUM Broad file and contact CRUD without least-privilege scoping -25

The skill provides full create, read, update, delete, and share operations on both OneDrive files and Google Contacts. There is no scoping mechanism to limit which folders, files, or contact groups the agent can access. A misbehaving or confused agent could delete files, share sensitive documents publicly, or mass-delete contacts.

LOW Inline executable code examples in SKILL.md -5

The skill contains multiple Python heredoc code blocks designed to be executed directly by the agent. While currently benign API calls, a future version update could modify these to include data exfiltration alongside legitimate operations.

INFO Runtime reads sensitive config files during install -10

The OpenClaw runtime (not the skill itself) reads .env, .aws/credentials, and .openclaw config files during installation. This is expected runtime behavior but indicates these files are accessible in the execution environment.