Safety Report

Google Contacts

Name: Google Contacts
Rating: 5 (4 reviews)
Author: byungkyu

Google Contacts API integration with managed OAuth. Manage contacts, contact groups, and search your address book. Use this skill when users want to create, read, update, or delete contacts, manage contact groups, or search for people in their Google account. For other third party apps, use the api-gateway skill (https://clawhub.ai/byungkyu/api-gateway).

5,081Downloads

0Installs

4Stars

4Versions

API Integration4,971 Search & Retrieval2,116 Networking & DNS1,102 Maps & Geolocation980

Security Analysis

medium confidence

Clean0.04 risk

The skill is internally consistent: it proxies Google People API calls through Maton (gateway.maton.ai / ctrl.maton.ai) and only requires a single MATON_API_KEY; however the author/source and lack of a homepage mean you should verify you trust the Maton service before use.

Feb 11, 20262 files1 concern

Purpose & Capabilityok

The name/description (Google Contacts via managed OAuth) match the actual instructions: calls to gateway.maton.ai and ctrl.maton.ai to access Google People API and manage OAuth connections. No unrelated services, binaries, or config paths are requested.

Instruction Scopeok

SKILL.md explicitly instructs the agent to call Maton endpoints (gateway.maton.ai, ctrl.maton.ai) and to open the returned connect.maton.ai URL for OAuth. It does not instruct reading local files, unrelated env vars, or contacting unexpected endpoints beyond Maton and the proxied Google API.

Install Mechanismok

No install spec and no code files — instruction-only — so nothing is written to disk or installed. This minimizes install-time risk.

Credentialsnote

Only MATON_API_KEY is required, which is proportionate because the gateway uses it as a bearer token to authenticate requests. However, that key effectively grants Maton access to your Google contacts (through the managed OAuth flow), so the trust boundary is the Maton service; the skill asks for no other secrets.

Persistence & Privilegeok

always:false and default autonomous invocation settings are used. The skill does not request persistent system presence, nor modify other skills or system configs.

Guidance

This skill delegates all Google Contacts traffic and OAuth handling to Maton (gateway.maton.ai, ctrl.maton.ai, connect.maton.ai). MATON_API_KEY is a bearer-style key that authorizes those requests — treat it like a credential: only obtain it from Maton’s official dashboard, store it securely, and revoke it if compromised. The skill is instruction-only (no local install), which reduces code risk, but the published package lacks a homepage and the source is 'unknown' — verify the publisher/owner identity and Maton’s privacy/security policies before installing, especially for business or sensitive accounts. If you prefer tighter control, use an officially supported Google integration or a gateway you run yourself. Finally, remove any OAuth connections you no longer need and limit key exposure (avoid pasting into public/shared environments).

Latest Release

v1.0.3

- Added `clawdbot` metadata, including an emoji and explicit required environment variable (`MATON_API_KEY`), to the skill manifest. - No changes to API, functionality, or documentation content outside of metadata.

More by @byungkyu

API Gateway

180 stars

Microsoft Excel

30 stars

Fathom

11 stars

Todoist

11 stars

Microsoft OneDrive

7 stars

Jira

6 stars

Published by @byungkyu on ClawHub