Is clawhub/server-monitor safe?

https://github.com/clawhub/server-monitor

72
CAUTION

This Gumroad API integration skill routes all API traffic through Maton's third-party proxy servers (gateway.maton.ai, ctrl.maton.ai, connect.maton.ai), giving Maton full visibility into the user's Gumroad data including OAuth tokens, customer PII, sales, and license keys. While the skill contains no overtly malicious code and showed clean clone/canary behavior, the man-in-the-middle proxy architecture, credential storage by a third party, inline executable code blocks, and cross-skill referral represent meaningful security concerns that warrant caution.

Category Scores

Prompt Injection 62/100 · 30%
Data Exfiltration 55/100 · 25%
Code Execution 70/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 45/100 · 5%

Findings (8)

HIGH All API traffic routed through third-party proxy -30

Every Gumroad API call is proxied through gateway.maton.ai instead of calling api.gumroad.com directly. This gives the Maton service full access to all request and response data, including OAuth tokens, customer emails, sales data, license keys, and revenue information. The user's MATON_API_KEY is also sent to ctrl.maton.ai and connect.maton.ai for connection management.

MEDIUM Cross-skill referral to external skill -18

The skill description contains a directive to use another skill ('api-gateway' from clawhub.ai/byungkyu/api-gateway) for other third-party apps. This cross-referral could chain the agent into installing additional skills with unknown security properties, expanding the attack surface.

MEDIUM Skill instructs agent to expose environment variables -10

The troubleshooting section instructs the agent to run 'echo $MATON_API_KEY' which would expose the API key in the agent's output. This could leak credentials to logs, screen recordings, or shared sessions.

MEDIUM Inline executable Python code blocks -30

SKILL.md contains numerous Python heredoc code blocks (python <<'EOF') that are designed to be executed directly by the agent. While the code itself appears to only make API calls to Maton endpoints, this pattern normalizes running arbitrary code from skill files and could be modified in future versions to include malicious payloads.

MEDIUM OAuth token managed by third party -15

The Maton gateway 'automatically injects your OAuth token' meaning Maton stores and has persistent access to the user's Gumroad OAuth credentials. The user must trust Maton not only as a proxy but as a credential store.

MEDIUM Agent instructed to execute Python code directly -10

The Quick Start and all code examples use a pattern where the agent is expected to run Python scripts directly in the shell. This normalizes the agent executing code from skill files, making it easier for a malicious skill update to inject harmful code.

LOW Audit target URL mismatch 0

The audit target URL (github.com/clawhub/server-monitor) does not match the actual installed skill (gumroad by maton). The clone of the target URL failed entirely. The skill content was analyzed from the installed files rather than the stated repository.

INFO No install-time code execution vectors 0

No package.json scripts, git hooks, gitattributes filters, submodules, or symlinks were detected. The skill is purely a markdown documentation file with no install-time code execution.