api-gateway
Facilitates secure connections to over 100 APIs using managed OAuth, enabling seamless integration with various external services.
Install this skill
Security score
The api-gateway skill was audited on Mar 6, 2026 and we found 52 security issues across 4 threat categories. Review the findings below before installing.
Categories Tested
Security Issues
Template literal with variable interpolation in command context
| 535 | 'Authorization': `Bearer ${process.env.MATON_API_KEY}` |
Fetch to external URL
| 531 | const response = await fetch('https://gateway.maton.ai/slack/api/chat.postMessage', { |
Webhook reference - potential data exfiltration
| 313 | - [Asana](references/asana/README.md) - Tasks, projects, workspaces, webhooks |
Webhook reference - potential data exfiltration
| 320 | - [Calendly](references/calendly/README.md) - Event types, scheduled events, availability, webhooks |
Webhook reference - potential data exfiltration
| 321 | - [Cal.com](references/cal-com/README.md) - Event types, bookings, schedules, availability slots, webhooks |
Webhook reference - potential data exfiltration
| 324 | - [ClickFunnels](references/clickfunnels/README.md) - Contacts, products, orders, courses, webhooks |
Webhook reference - potential data exfiltration
| 326 | - [ClickUp](references/clickup/README.md) - Tasks, lists, folders, spaces, webhooks |
Webhook reference - potential data exfiltration
| 337 | - [Fathom](references/fathom/README.md) - Meeting recordings, transcripts, summaries, webhooks |
Webhook reference - potential data exfiltration
| 342 | - [Gumroad](references/gumroad/README.md) - Products, sales, subscribers, licenses, webhooks |
Webhook reference - potential data exfiltration
| 367 | - [JotForm](references/jotform/README.md) - Forms, submissions, webhooks |
Webhook reference - potential data exfiltration
| 378 | - [Manus](references/manus/README.md) - AI agent tasks, projects, files, webhooks |
Webhook reference - potential data exfiltration
| 394 | - [Quo](references/quo/README.md) - Calls, messages, contacts, conversations, webhooks |
Webhook reference - potential data exfiltration
| 406 | - [Systeme.io](references/systeme/README.md) - Contacts, tags, courses, communities, webhooks |
Webhook reference - potential data exfiltration
| 407 | - [Tally](references/tally/README.md) - Forms, submissions, workspaces, webhooks |
Access to .env file
| 535 | 'Authorization': `Bearer ${process.env.MATON_API_KEY}` |
External URL reference
| 6 | Security: The MATON_API_KEY authenticates with Maton.ai but grants NO access to third-party services by itself. Each service requires explicit OAuth authorization by the user through Maton's connect f |
External URL reference
| 13 | homepage: "https://maton.ai" |
External URL reference
| 21 | Passthrough proxy for direct access to third-party APIs using managed OAuth connections, provided by [Maton](https://maton.ai). The API gateway lets you call native API endpoints directly. |
External URL reference
| 30 | req = urllib.request.Request('https://gateway.maton.ai/slack/api/chat.postMessage', data=data, method='POST') |
External URL reference
| 41 | https://gateway.maton.ai/{app}/{native-api-path} |
External URL reference
| 66 | 1. Sign in or create an account at [maton.ai](https://maton.ai) |
External URL reference
| 67 | 2. Go to [maton.ai/settings](https://maton.ai/settings) |
External URL reference
| 72 | Connection management uses a separate base URL: `https://ctrl.maton.ai` |
External URL reference
| 79 | req = urllib.request.Request('https://ctrl.maton.ai/connections?app=slack&status=ACTIVE') |
External URL reference
| 98 | "url": "https://connect.maton.ai/?session_token=5e9...", |
External URL reference
| 113 | req = urllib.request.Request('https://ctrl.maton.ai/connections', data=data, method='POST') |
External URL reference
| 129 | req = urllib.request.Request('https://ctrl.maton.ai/connections/{connection_id}') |
External URL reference
| 143 | "url": "https://connect.maton.ai/?session_token=5e9...", |
External URL reference
| 157 | req = urllib.request.Request('https://ctrl.maton.ai/connections/{connection_id}', method='DELETE') |
External URL reference
| 171 | req = urllib.request.Request('https://gateway.maton.ai/slack/api/chat.postMessage', data=data, method='POST') |
External URL reference
| 438 | # Native Slack API: POST https://slack.com/api/chat.postMessage |
External URL reference
| 442 | req = urllib.request.Request('https://gateway.maton.ai/slack/api/chat.postMessage', data=data, method='POST') |
External URL reference
| 452 | # Native HubSpot API: POST https://api.hubapi.com/crm/v3/objects/contacts |
External URL reference
| 456 | req = urllib.request.Request('https://gateway.maton.ai/hubspot/crm/v3/objects/contacts', data=data, method='POST') |
External URL reference
| 466 | # Native Sheets API: GET https://sheets.googleapis.com/v4/spreadsheets/{id}/values/{range} |
External URL reference
| 469 | req = urllib.request.Request('https://gateway.maton.ai/google-sheets/v4/spreadsheets/122BS1sFN2RKL8AOUQjkLdubzOwgqzPT64KfZ2rvYI4M/values/Sheet1!A1:B2') |
External URL reference
| 478 | # Native Salesforce API: GET https://{instance}.salesforce.com/services/data/v64.0/query?q=... |
External URL reference
| 481 | req = urllib.request.Request('https://gateway.maton.ai/salesforce/services/data/v64.0/query?q=SELECT+Id,Name+FROM+Contact+LIMIT+10') |
External URL reference
| 490 | # Native Airtable API: GET https://api.airtable.com/v0/meta/bases/{id}/tables |
External URL reference
| 493 | req = urllib.request.Request('https://gateway.maton.ai/airtable/v0/meta/bases/appgqan2NzWGP5sBK/tables') |
External URL reference
| 502 | # Native Notion API: POST https://api.notion.com/v1/data_sources/{id}/query |
External URL reference
| 506 | req = urllib.request.Request('https://gateway.maton.ai/notion/v1/data_sources/23702dc5-9a3b-8001-9e1c-000b5af0a980/query', data=data, method='POST') |
External URL reference
| 517 | # Native Stripe API: GET https://api.stripe.com/v1/customers |
External URL reference
| 520 | req = urllib.request.Request('https://gateway.maton.ai/stripe/v1/customers?limit=10') |
External URL reference
| 531 | const response = await fetch('https://gateway.maton.ai/slack/api/chat.postMessage', { |
External URL reference
| 548 | 'https://gateway.maton.ai/slack/api/chat.postMessage', |
External URL reference
| 579 | req = urllib.request.Request('https://ctrl.maton.ai/connections') |
External URL reference
| 589 | - Correct: `https://gateway.maton.ai/google-mail/gmail/v1/users/me/messages` |
External URL reference
| 590 | - Incorrect: `https://gateway.maton.ai/gmail/v1/users/me/messages` |
External URL reference
| 597 | req = urllib.request.Request('https://ctrl.maton.ai/connections?app=google-mail&status=ACTIVE') |
External URL reference
| 632 | - [API Reference](https://www.maton.ai/docs/api-reference) |
External URL reference
| 633 | - [Maton Community](https://discord.com/invite/dBfFAcefs2) |