Is kdegeek/api-gateway-1 safe?
https://github.com/openclaw/skills/tree/main/skills/kdegeek/api-gateway-1
The api-gateway skill by Maton.ai is a legitimate, transparently documented OAuth proxy service with no malicious content, no prompt injection, and clean installation behavior. All canary files remained intact and no unexpected network connections or file accesses were observed during install. The primary security consideration is architectural, not adversarial: all API traffic to 100+ connected services (including Gmail, Stripe, Salesforce, GitHub, and Slack) routes through Maton.ai's infrastructure, and Maton holds delegated OAuth tokens for every connected account — a trust relationship users must consciously accept before installation.
Category Scores
Findings (5)
HIGH All API traffic to 100+ services proxied through Maton.ai infrastructure -35 ▶
Every API call made through this skill passes through gateway.maton.ai before reaching the target API. This includes reads and writes across Gmail, Slack, Stripe, Salesforce, GitHub, HubSpot, Notion, and 93+ other services. Maton.ai has full visibility into request bodies, response data, and query parameters for all proxied calls. To enable OAuth injection, Maton must store delegated refresh tokens for every connected service. While this is the stated and transparent purpose of the product, users must understand they are trusting a third party with access to all their connected business data. A compromise of Maton's infrastructure or a policy change would affect all connected services simultaneously.
MEDIUM Overly broad skill activation scope may cause unintended proxy routing -30 ▶
The skill frontmatter instructs the agent to use this skill 'when users want to interact with external services.' This is an extremely broad trigger that covers virtually any task involving an external API. An agent following this instruction literally may route API calls through Maton's infrastructure without the user explicitly understanding or consenting to the intermediary. Users expecting direct API connections (for compliance, latency, or privacy reasons) would not be served by this behavior.
LOW Security disclaimer may reduce user scrutiny of proxy architecture -12 ▶
The skill description leads with a security note: 'The MATON_API_KEY authenticates with Maton.ai but grants NO access to third-party services by itself.' While technically accurate (the key alone cannot call third-party APIs without an active OAuth connection), this framing focuses attention on the API key's standalone power rather than the more significant risk that all API traffic and OAuth tokens flow through Maton's servers. This is not an injection attack but a framing choice that may cause users to underestimate the trust surface.
LOW Skill embeds numerous directly executable Python code blocks -10 ▶
The SKILL.md contains over 20 Python heredoc blocks formatted for direct shell execution. The code itself is benign — standard urllib.request HTTP client calls to documented Maton endpoints. However, the volume of inline executable examples increases the attack surface if the skill file were ever tampered with (e.g., via a supply chain update), as an agent reading the skill would receive modified executable instructions without explicit user review.
INFO System credential file reads during install window are PAM/GDM session activity -12 ▶
Filesystem monitoring detected multiple reads of /etc/passwd, /etc/shadow, and /home/oc-exec/.local/share/keyrings/login.keyring during the installation window. These events are consistent with the GDM autologin and PAM session initialization sequence visible in the monitoring timeline (02:28:29 cluster, matching the autologin PAM chain). auditd syscall monitoring confirms no sensitive file access attributable to the install process itself. Not a finding against the skill.