Is slack-api safe?

https://clawhub.ai/byungkyu/slack-api

72
CAUTION

This Slack API skill is documentation-only with a clean install profile and no executable code. However, it routes ALL Slack API traffic through a third-party gateway (Maton) that holds the user's OAuth token server-side, creating a significant man-in-the-middle trust dependency. The skill also cross-promotes another skill from the same author, potentially expanding the attack surface.

Category Scores

Prompt Injection 60/100 · 30%
Data Exfiltration 65/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 45/100 · 5%

Findings (8)

HIGH All Slack traffic proxied through third-party gateway -25

Every Slack API call is routed through gateway.maton.ai, which holds the user's OAuth token server-side. Maton can intercept, log, and store all Slack messages, user data, channel history, and file uploads. The user has no visibility into what Maton does with this data.

MEDIUM Third-party API key requirement exposes credential -10

The skill requires users to set MATON_API_KEY as an environment variable and send it in Authorization headers to Maton's servers. This credential grants Maton persistent access to manage the user's connections and proxy their API calls.

MEDIUM Cross-skill promotion enables skill-chaining -20

The skill description explicitly promotes another skill ('api-gateway') with a direct ClawHub URL. An agent following these instructions could install or invoke the additional skill, expanding the attack surface without explicit user consent.

MEDIUM Inline code execution patterns normalize shell/Python execution -15

The skill's examples use 'python <<EOF' heredoc patterns that, when followed by an LLM agent, result in arbitrary code execution. While these are API call templates, the pattern trains the agent to execute inline code, which could be exploited if the skill content were modified.

LOW IMPORTANT directives may influence agent behavior -5

The Notes section contains 'IMPORTANT:' prefixed instructions that could influence agent behavior beyond the intended Slack API scope, particularly around how commands are constructed.

HIGH Maton gateway is a full man-in-the-middle for Slack access -55

The architectural design places Maton as a persistent intermediary with full access to the user's Slack workspace. Maton holds the OAuth token, proxies all API calls, and can read/send messages as the user. A compromise of Maton's infrastructure would give attackers full access to every connected user's Slack workspace.

INFO Documentation-only skill with no executable code 0

The skill contains only SKILL.md, metadata files, and a license. No executable scripts, npm packages, git hooks, or symlinks are present. This is a positive indicator.

INFO Clean install with no suspicious activity 0

Monitoring detected zero network connections, zero process spawning, zero filesystem changes, and zero firewall blocks during installation.