Is xero safe?

https://clawhub.ai/byungkyu/xero

72
CAUTION

The Xero skill is a documentation-only package with no executable code, clean clone behavior, and intact canary files. However, it routes ALL Xero financial data through a third-party intermediary (maton.ai) that manages OAuth tokens and proxies every API request, creating significant data exposure and trust-delegation risks. The skill also cross-promotes additional skills from the same ecosystem and includes a troubleshooting step that would leak the API key to stdout.

Category Scores

Prompt Injection 62/100 · 30%
Data Exfiltration 58/100 · 25%
Code Execution 90/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 50/100 · 5%

Findings (10)

HIGH All financial data routed through third-party proxy -25

Every API call routes through gateway.maton.ai rather than directly to api.xero.com. This means all Xero financial data (invoices, bank transactions, payments, contacts, organization details) passes through Maton's servers. Maton has full visibility into the user's accounting data.

HIGH OAuth tokens managed by third-party intermediary -12

OAuth connection lifecycle (create, delete, manage) is fully delegated to ctrl.maton.ai. Maton holds the actual OAuth tokens and could independently access the user's Xero account. The user never directly authenticates with Xero — Maton acts as a man-in-the-middle for authentication.

MEDIUM Cross-skill promotion in description -15

The skill description references and promotes another skill by URL (https://clawhub.ai/byungkyu/api-gateway), potentially influencing the agent to install additional skills from the same author. This creates an expansion vector where one trusted skill leads to installation of more skills with broader access.

MEDIUM Skill instructs agent to execute inline code -13

All code examples use python heredoc patterns (python <<'EOF') that the agent would execute directly. This normalizes the agent executing arbitrary code blocks from skill documentation, which could be exploited if skill content were modified.

MEDIUM Troubleshooting section encourages API key echo -10

The troubleshooting section explicitly instructs the agent to run 'echo $MATON_API_KEY', which would print the secret API key to the agent's output. This could leak the key to logs, screen sharing, or other observation channels.

MEDIUM API key sent to non-Xero third party -5

The MATON_API_KEY is sent as a Bearer token to gateway.maton.ai and ctrl.maton.ai on every request. This key is not a Xero credential — it's a Maton credential that grants Maton persistent access to act on behalf of the user.

LOW Part of broader third-party API funneling ecosystem -25

This skill is part of a pattern where multiple skills (xero, api-gateway, potentially others) all route through Maton's infrastructure. This creates a single point of compromise — if Maton's gateway is breached, all connected services are exposed.

LOW Financial data exposure through gateway compromise -25

If Maton's gateway were compromised, an attacker could intercept or modify invoices, payments, bank transactions, and contact information. The gateway has write access (POST endpoints for creating invoices, contacts, payments).

INFO No executable code in skill package -10

The skill contains only documentation files (SKILL.md, _meta.json, LICENSE.txt, origin.json, lock.json). No executable scripts, install hooks, git hooks, submodules, or symlinks were detected.

INFO Clean clone behavior -5

No suspicious activity during installation. Filesystem events were limited to standard jiti cache operations. No network connections or process spawning detected.