Is systeme safe?

https://clawhub.ai/byungkyu/systeme

72
CAUTION

This skill is a Systeme.io API integration that routes all traffic through a third-party proxy (Maton). While the skill itself contains no malicious code, executable payloads, or hidden instructions, its architecture requires users to fully trust an intermediary with their API credentials and OAuth tokens. The cross-skill referral to api-gateway and pattern of inline executable code blocks present moderate prompt injection and chaining risks.

Category Scores

Prompt Injection 65/100 · 30%
Data Exfiltration 60/100 · 25%
Code Execution 82/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 55/100 · 5%

Findings (9)

HIGH All traffic proxied through third-party gateway -25

Every API call is routed through gateway.maton.ai instead of directly to api.systeme.io. The gateway operator (Maton) has full visibility into all request data, response data, and OAuth tokens. This is a man-in-the-middle architecture by design. While this may be a legitimate OAuth proxy service, users must fully trust Maton with all their Systeme.io data.

HIGH OAuth token management by third party -15

Connection management at ctrl.maton.ai handles OAuth authorization flows. The gateway stores and manages user OAuth tokens for Systeme.io, meaning the third party has persistent access to the user's Systeme.io account even when the skill is not actively being used.

MEDIUM Cross-skill referral enables chaining -15

The skill description explicitly directs the agent to use another skill (api-gateway at https://clawhub.ai/byungkyu/api-gateway) for 'other third party apps'. This cross-referral could be exploited to chain skills together, expanding the attack surface. If the api-gateway skill is compromised, this skill acts as an entry point.

MEDIUM Inline executable code blocks encourage blind execution -15

The skill contains numerous Python heredoc blocks designed to be executed directly by the agent. This establishes a behavioral pattern where the agent executes code from the skill without user confirmation, which could be exploited if the skill content were modified to include malicious code.

MEDIUM Authority-style directives in notes -5

The Notes section uses 'IMPORTANT:' prefixed directives that mimic system-level instructions. While the content is benign (curl flags, env var expansion), this pattern could be used to smuggle more harmful instructions in future versions.

LOW Troubleshooting encourages printing API key -5

The troubleshooting section instructs users to run 'echo $MATON_API_KEY' which could expose the key in terminal logs, shell history, or screen recordings.

LOW Inline Python code blocks for API calls -18

The skill provides ready-to-execute Python code blocks using urllib.request. While these are standard API call patterns, they bypass any skill sandboxing since they execute as raw Python in the agent's shell.

INFO Gateway model normalizes credential delegation -45

The skill normalizes sending API credentials to a third-party intermediary service. Users accustomed to this pattern may be less cautious about future skills that similarly proxy credentials through unknown services.

INFO Runtime reads sensitive files during install -15

The monitoring shows .env, .aws/credentials, and other sensitive files being read during install, but this is attributable to the OpenClaw agent runtime environment bootstrapping, not the skill itself. The skill contains no install scripts.