Is squareup safe?

https://clawhub.ai/byungkyu/squareup

72
CAUTION

This skill is a documentation-only Square API integration that routes all financial operations through maton.ai's third-party gateway. While it contains no executable code, hidden instructions, or direct exfiltration attempts, the architectural design means all payment data, customer PII, and OAuth tokens are controlled by an external intermediary. The skill is functionally a man-in-the-middle for Square API access.

Category Scores

Prompt Injection 70/100 · 30%
Data Exfiltration 55/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 50/100 · 5%

Findings (8)

HIGH All financial data routed through third-party gateway -30

Every API call (payments, customers, orders, invoices) is proxied through gateway.maton.ai instead of connecting directly to Square's API (connect.squareup.com). The gateway operator has full access to read, log, or modify all financial data in transit including payment amounts, customer PII, card nonces, and order details.

HIGH OAuth tokens managed by third party -15

Square OAuth tokens are stored and injected by maton.ai's infrastructure. Users never see or control their own OAuth tokens. The gateway 'automatically injects your OAuth token', meaning maton.ai holds the keys to the user's Square account.

MEDIUM Cross-references external skill for installation -15

The skill description recommends installing another skill (api-gateway) from the same author for 'other third party apps'. This cross-promotion pattern could be used to expand the attack surface by encouraging installation of additional skills.

MEDIUM Normalizes inline code execution patterns -15

The skill heavily uses Python heredoc execution patterns (python <<'EOF') as the primary interaction model. This trains the agent to routinely execute inline code blocks, which could be exploited by prompt injection in API responses or user-supplied data that gets interpolated into these patterns.

MEDIUM Full financial operations via untrusted intermediary -50

The skill enables creating payments, refunds, managing customers, and sending invoices — all through a third-party proxy. A compromised or malicious gateway could silently modify payment amounts, redirect refunds, alter customer data, or send fraudulent invoices.

LOW AWS credentials file accessed during runtime initialization -10

The filesystem monitoring shows /home/oc-exec/.aws/credentials was opened during the install process. This appears to be from the OpenClaw runtime rather than the skill itself, but it indicates the runtime environment exposes sensitive credential files.

INFO No executable code in skill repository 0

The skill contains only markdown documentation, JSON metadata, and a license file. No executable scripts, install hooks, or dependency chains exist.

INFO All honeypot files intact 0

No canary files were accessed or modified during the audit, indicating no automated credential harvesting behavior.