Is typeform safe?

https://clawhub.ai/byungkyu/typeform

72
CAUTION

This skill is a documentation-only Typeform API integration that routes all traffic through a third-party proxy service (Maton). While the repository contains no executable code and exhibited clean clone behavior, the proxy architecture means all Typeform data and OAuth tokens pass through Maton's infrastructure, creating an inherent trust dependency. The cross-promotion of additional proxy-based skills increases the potential blast radius of a compromise.

Category Scores

Prompt Injection 70/100 · 30%
Data Exfiltration 60/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 45/100 · 5%

Findings (8)

MEDIUM Third-party proxy intercepts all API traffic -25

Every Typeform API request is routed through gateway.maton.ai instead of directly to api.typeform.com. The Maton proxy injects OAuth tokens server-side, meaning the proxy operator has full access to the user's Typeform account data, including form contents, respondent PII, and all survey responses. Users cannot verify what the proxy does with this data.

MEDIUM OAuth token management delegated to third party -15

OAuth connection creation and management flows through ctrl.maton.ai and connect.maton.ai. The Maton service controls the full OAuth lifecycle, including token storage, refresh, and injection. Users must trust Maton with their Typeform OAuth credentials with no way to audit token handling.

LOW Cross-skill promotion in description -10

The skill description contains a direct link to another skill (api-gateway) with language encouraging its installation: 'For other third party apps, use the api-gateway skill'. This could lead agents to recommend or auto-install additional skills, expanding the attack surface.

LOW Executable code blocks in agent context -10

SKILL.md contains multiple ready-to-execute Python and JavaScript code blocks that use urllib/requests to make HTTP calls. When injected into an agent's context, the agent may execute these verbatim, potentially without the user explicitly approving each network call to Maton's servers.

LOW Troubleshooting instructs echoing API key -10

The troubleshooting section includes 'echo $MATON_API_KEY' as a diagnostic step. If an agent follows this instruction, the API key could be exposed in chat logs, terminal output, or screen shares.

INFO No executable code in repository -5

The skill contains only markdown documentation, JSON metadata, and a license file. No install scripts, git hooks, submodules, or symlinks were detected. Code examples exist only as inline markdown blocks within SKILL.md.

INFO Clean clone behavior -5

No suspicious activity detected during installation. Filesystem events were limited to standard jiti cache files in /tmp. No network connections, process spawning, or firewall blocks observed.

MEDIUM Proxy architecture creates centralized risk -55

If a user installs multiple Maton-proxied skills (typeform, api-gateway, etc.), a single MATON_API_KEY compromise or Maton service breach would expose all connected third-party accounts simultaneously. The proxy architecture concentrates risk rather than distributing it.