Is pipedrive-api safe?

https://clawhub.ai/byungkyu/pipedrive-api

78
CAUTION

The pipedrive-api skill is a documentation-only API reference that routes all Pipedrive CRM traffic through a third-party proxy gateway (Maton), creating a man-in-the-middle trust dependency. The most significant concern is that the repository bundles an unrequested google-workspace-admin skill with powerful admin capabilities (user creation/deletion, admin privilege escalation) that could be loaded by an agent without explicit user consent. No malicious code execution or data exfiltration was detected during installation.

Category Scores

Prompt Injection 68/100 · 30%
Data Exfiltration 72/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 55/100 · 5%

Findings (9)

HIGH All API traffic routed through third-party proxy gateway -20

Every API call is proxied through gateway.maton.ai rather than going directly to api.pipedrive.com or admin.googleapis.com. This gives the gateway operator (Maton) full visibility into all request and response data, including CRM deal values, contact information, and Google Workspace user directories. Users must trust this third party with all their data.

HIGH Unrequested google-workspace-admin skill bundled with installation -22

The repository contains a second skill (google-workspace-admin) that was not part of the requested pipedrive-api installation. This skill provides full Google Workspace Admin SDK access including the ability to create/delete users, modify admin privileges (makeAdmin), manage groups, and alter organizational structure. An agent loading skills from this directory would gain these capabilities without the user explicitly requesting them.

MEDIUM API key sent to multiple third-party endpoints -8

The MATON_API_KEY is sent as a Bearer token to three different Maton-controlled domains: gateway.maton.ai, ctrl.maton.ai, and connect.maton.ai. This key appears to grant broad access across all Maton-connected services, not just Pipedrive.

MEDIUM Inline executable code blocks in skill prompt -10

The SKILL.md contains numerous Python heredoc code blocks designed to be executed directly by the agent. While functional, these establish a pattern where the agent routinely executes code from the skill prompt context, which could be exploited if the skill content were modified to include malicious payloads.

MEDIUM Cross-skill reference encourages additional installations -5

The skill description explicitly references and recommends another skill (api-gateway) by URL, encouraging the user/agent to install additional third-party proxy skills that expand the attack surface.

LOW OAuth token management delegated to third party -15

The skill's architecture delegates OAuth token storage and injection to Maton's gateway. Users never see or control their actual Pipedrive OAuth tokens — Maton holds them. This creates a dependency and trust relationship where Maton could use these tokens independently.

LOW Google Workspace admin operations enable privilege escalation -30

The bundled google-workspace-admin skill includes endpoints to make users admins, create new users, and modify role assignments. If an agent were to use these capabilities — whether through prompt injection or user error — it could lead to significant organizational damage.

INFO No executable code or install hooks present 0

The skill contains only markdown documentation files, JSON metadata, and license files. No package.json install scripts, git hooks, gitattributes filters, submodules, or symlinks were detected.

INFO Clean install with no suspicious activity 0

Installation produced no filesystem events, network connections, process executions, or firewall blocks. The clone/install behavior is completely benign.