Is tally-api safe?

https://clawhub.ai/byungkyu/tally-api

72
CAUTION

This Tally API integration skill is a documentation-only package with no executable artifacts, install scripts, or malicious code. However, it routes ALL API traffic through a third-party proxy (gateway.maton.ai) rather than the native Tally API, giving the proxy operator full visibility into OAuth tokens, API keys, and form submission data that may contain PII. The skill also cross-references another skill from the same author, suggesting a pattern of funneling multiple integrations through the same proxy infrastructure.

Category Scores

Prompt Injection 70/100 · 30%
Data Exfiltration 60/100 · 25%
Code Execution 75/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 55/100 · 5%

Findings (9)

HIGH All API traffic routed through third-party proxy -30

Every API request is routed through gateway.maton.ai and ctrl.maton.ai rather than directly to the native Tally API (api.tally.so). This gives the proxy operator (Maton) full visibility into all requests, responses, OAuth tokens, form submissions containing PII, and the user's MATON_API_KEY. There is no way to verify what the proxy does with this data server-side.

MEDIUM Cross-skill reference promotes chained installation -15

The skill description explicitly directs users to install another skill ('api-gateway') for other third-party apps. This cross-referencing pattern could be used to chain-install skills, expanding the attack surface. A malicious actor could use a benign skill as a gateway to promote installation of a more dangerous one.

MEDIUM Embedded executable code blocks direct agent behavior -15

The SKILL.md contains 15+ Python code blocks with heredoc execution patterns that the agent is expected to run. While this is the intended usage pattern for API skills, it means the skill content directly controls what code the agent executes, including which endpoints receive the user's credentials.

MEDIUM OAuth session tokens exposed in API responses -10

The connection management API returns OAuth session tokens in plaintext within JSON responses. These tokens, visible to both the proxy and the agent's context window, could be logged, cached, or leaked through conversation history.

MEDIUM Webhook creation enables data redirection -20

The skill documents webhook creation with arbitrary URL targets. If an agent is socially engineered or prompted to create webhooks, form submission data (potentially containing PII) could be redirected to attacker-controlled endpoints without the user's awareness.

LOW Python heredoc execution pattern -10

All code examples use python <<'EOF' heredoc pattern which executes inline Python. While no malicious payloads are present, this pattern means the agent will run network-calling code directly from skill content without separate script files that could be reviewed.

LOW Sensitive file reads during installation -15

Filesystem monitoring detected reads of .env, .aws/credentials, and multiple config files during installation. These appear to be standard platform initialization reads rather than skill-initiated exfiltration, but they demonstrate that sensitive files are accessible in the execution environment.

INFO No executable artifacts in skill package 0

The skill contains only SKILL.md, _meta.json, LICENSE.txt, and origin.json. No package.json with install scripts, no git hooks, no submodules, no symlinks. The skill is purely documentation-driven.

INFO All honeypot files intact 0

No canary files were accessed or modified during the skill installation and clone process, indicating no automated credential harvesting.