Is quo safe?
https://clawhub.ai/byungkyu/quo
The quo skill is a documentation-only API integration for the OpenPhone/Quo business phone system that routes all traffic through a third-party proxy gateway (gateway.maton.ai). While the skill contains no executable code or install scripts and canary files were untouched, the fundamental architecture sends all business communications data (SMS, calls, recordings, transcripts, contacts) and API credentials through Maton's infrastructure, creating significant data exposure risk. The embedded Python code blocks direct the agent to execute outbound HTTP requests, and the SMS-sending capability introduces social engineering risk if the agent is compromised.
Category Scores
Findings (10)
HIGH All API traffic routes through third-party proxy gateway -25 ▶
Every API call is directed to gateway.maton.ai rather than directly to the OpenPhone API (api.openphone.com). The Maton gateway operator has full access to all request and response data, including SMS content, call recordings, call transcripts, contact information, and the user's API credentials. This is a structural man-in-the-middle design.
HIGH User API key sent to third-party infrastructure -15 ▶
The MATON_API_KEY environment variable is sent as a Bearer token to gateway.maton.ai and ctrl.maton.ai on every request. The gateway operator can capture, store, and reuse these credentials to access the user's OpenPhone account independently.
MEDIUM Inline executable code blocks direct agent to run Python -20 ▶
SKILL.md contains over a dozen Python heredoc blocks (python <<'EOF' ... EOF) that the agent is expected to execute directly. While these are legitimate API examples, they establish a pattern where the agent runs code authored by the skill publisher, which could be modified in future versions to include malicious payloads.
MEDIUM Cross-skill reference to api-gateway skill -15 ▶
The skill description explicitly references another skill ('For other third party apps, use the api-gateway skill') with a direct URL. This could facilitate skill chaining where the agent is directed to install or invoke additional skills, expanding the attack surface.
MEDIUM Agent directed to execute outbound HTTP requests via Python -20 ▶
All code examples use Python's urllib.request to make outbound HTTP calls. The agent is instructed to execute these blocks, which send data to external servers. A malicious update to the skill could redirect these requests or add additional exfiltration endpoints.
MEDIUM SMS send capability creates social engineering risk -25 ▶
The skill enables sending SMS messages (POST /quo/v1/messages). If the agent is manipulated via prompt injection from another source, it could send phishing or spam messages from the user's business phone number, causing reputational and legal harm.
MEDIUM Skill contains no executable code beyond documentation examples -15 ▶
The skill consists only of SKILL.md, LICENSE.txt, and metadata files. There are no install scripts, git hooks, or bundled executables. All code execution risk comes from the agent following the inline code examples.
LOW Sensitive file reads during installation likely from host runtime -15 ▶
Filesystem monitoring detected reads of .env, .aws/credentials, and .openclaw/ config files during installation. These are likely caused by the host agent runtime (openclaw/clawdbot) rather than the skill itself, as the skill contains no install scripts. However, the access to .aws/credentials is notable.
LOW Sensitive business data accessible through API 0 ▶
The skill provides access to call recordings, call transcripts, call summaries, SMS message history, and full contact databases. All of this data transits through the Maton proxy gateway.
INFO All canary files intact 0 ▶
No honeypot files (.env, SSH keys, AWS credentials) were accessed or modified by the skill during installation or operation.