Is salesforce-api safe?

https://clawhub.ai/byungkyu/salesforce-api

72
CAUTION

This skill is a pure documentation package (no executable code) that provides a Salesforce CRM API integration via Maton's third-party proxy service. While the skill itself contains no malicious code, git hooks, or install scripts, its fundamental architecture routes ALL Salesforce data and OAuth credentials through gateway.maton.ai, creating a permanent man-in-the-middle position. The skill also cross-promotes another skill and normalizes inline code execution patterns that could be exploited by prompt injection.

Category Scores

Prompt Injection 62/100 · 30%
Data Exfiltration 55/100 · 25%
Code Execution 90/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 50/100 · 5%

Findings (8)

HIGH All Salesforce data transits third-party proxy -35

Every API call is routed through gateway.maton.ai rather than directly to Salesforce. This gives Maton full visibility into all SOQL queries, record CRUD operations, and query results including potentially sensitive CRM data (contacts, leads, opportunities, accounts). The user's MATON_API_KEY is sent as a Bearer token to this proxy on every request.

HIGH OAuth tokens managed by third-party service -10

Salesforce OAuth connections are created and managed through ctrl.maton.ai. This means Maton stores and controls the OAuth tokens that grant access to the user's Salesforce instance. Users must complete OAuth authorization through connect.maton.ai, giving Maton persistent access to their Salesforce org.

MEDIUM Cross-skill promotion creates installation funnel -15

The skill description explicitly promotes another skill: 'For other third party apps, use the api-gateway skill (https://clawhub.ai/byungkyu/api-gateway)'. This could lead agents to suggest installing additional skills, expanding the attack surface. If the api-gateway skill is compromised, this skill serves as a vector.

MEDIUM Inline code execution patterns normalize arbitrary execution -15

The skill's examples use 'python <<EOF' heredoc patterns that instruct the agent to execute inline Python code making network requests. While these target legitimate Salesforce endpoints, the pattern normalizes the agent executing arbitrary code blocks, making it easier for follow-up prompt injections to exploit this behavior.

MEDIUM Environment variable access request for third-party key -8

The skill requires MATON_API_KEY environment variable and instructs the agent to read and use it in requests to Maton's servers. This is a legitimate API key requirement but grants the skill (and Maton's infrastructure) access to a credential that could be reused across multiple Maton-powered skills.

LOW OpenClaw runtime reads sensitive files during install -15

The filesystem monitoring shows .env, .aws/credentials, .profile, and .bashrc were accessed during the install phase. This appears to be the OpenClaw runtime behavior rather than the skill itself, but it means the runtime environment has access to these sensitive files when skills are loaded.

INFO No executable artifacts in skill package -10

The skill contains only SKILL.md, _meta.json, LICENSE.txt, and origin.json. No JavaScript, Python, shell scripts, git hooks, submodules, or symlinks. Package.json is empty. The skill is purely documentation.

MEDIUM Man-in-the-middle architecture by design -50

The skill's entire value proposition is proxying Salesforce API through Maton's servers. While this enables managed OAuth (a convenience), it creates a permanent man-in-the-middle position. A compromised Maton service could: intercept all CRM data, modify query results, harvest credentials, or inject additional instructions into responses. Users have no way to verify Maton's handling of their data.