Is quickbooks safe?

https://clawhub.ai/byungkyu/quickbooks

74
CAUTION

This QuickBooks skill provides legitimate accounting API integration but routes all financial data (customer PII, invoices, payments, financial reports) through a third-party proxy (gateway.maton.ai) with no transparency about data handling. The API key is sent to this third party on every request. Install-time monitoring shows access to sensitive credential files (.env, .aws/credentials). Not overtly malicious, but the opaque proxy architecture and credential forwarding pattern present meaningful data exposure risks.

Category Scores

Prompt Injection 62/100 · 30%
Data Exfiltration 55/100 · 25%
Code Execution 80/100 · 20%
Clone Behavior 60/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 65/100 · 5%

Findings (10)

HIGH All financial data routed through third-party proxy -30

Every API call in this skill routes through gateway.maton.ai rather than directly to QuickBooks/Intuit APIs. This means all customer PII, invoice data, payment records, and financial reports (P&L, balance sheets) transit through Maton's infrastructure with no transparency about logging, retention, or data handling.

HIGH API key sent to third-party on every request -15

The skill instructs the agent to send MATON_API_KEY as a Bearer token to gateway.maton.ai and ctrl.maton.ai on every request. This credential is effectively exfiltrated to a third party with every API call.

MEDIUM Cross-skill promotion creates trust-chaining vector -15

The skill description explicitly promotes another skill from the same author: 'For other third party apps, use the api-gateway skill (https://clawhub.ai/byungkyu/api-gateway)'. This creates a trust chain where installing one skill leads to installing another, expanding the attack surface.

MEDIUM Inline executable code blocks drive agent execution -13

The skill contains 15+ inline Python and bash code blocks using heredoc patterns that an LLM agent would execute directly. While not traditional prompt injection, this achieves code execution by instructing the agent to run network-calling code.

MEDIUM Implicit credential access request -10

The skill requires MATON_API_KEY as an environment variable and instructs the agent to use it in all API calls, but provides no scoping or least-privilege boundaries. The agent is directed to send this key to external services without explicit user consent per-request.

MEDIUM Install process accessed sensitive credential files -25

During installation, the process read /home/oc-exec/.env, /home/oc-exec/.aws/credentials, and /home/oc-exec/.openclaw/agents/main/agent/auth-profiles.json — all sensitive files outside the skill directory. While this may be ClawHub framework behavior, the access is notable.

MEDIUM OAuth session tokens exposed in plaintext responses -5

The connection management API returns OAuth session URLs containing session tokens in plaintext. If the agent logs or displays these responses, tokens could be leaked.

LOW JIT compilation during install -15

Multiple JavaScript files were JIT-compiled to /tmp/jiti/ during installation, indicating runtime code generation. While likely from the ClawHub framework, runtime code compilation during install is a potential vector for code injection.

LOW Heredoc code execution pattern bypasses static analysis -20

The skill uses Python heredoc patterns (python <<'EOF') for all API interactions. This pattern makes it harder to statically analyze what code will be executed, as the code is embedded in markdown rather than in standalone script files.

INFO Legitimate functionality with opaque data handling -35

The skill provides genuine QuickBooks integration functionality, but the Maton proxy architecture means users have no visibility into how their financial data is handled, stored, or potentially shared by the intermediary.