api-gateway
Pass
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill exposes a broad surface for indirect prompt injection due to its core functionality of ingesting external data.
- Ingestion points: The skill is designed to retrieve content from over 100 external APIs, including email (Gmail, Outlook), chat (Slack, Microsoft Teams), and document platforms (Notion, GitHub), which may contain malicious instructions (e.g., references/google-mail/README.md, references/slack/README.md).
- Boundary markers: There are no instructions or templates provided within the reference documentation to use delimiters or boundary markers to isolate external data from agent instructions.
- Capability inventory: The skill possesses extensive write and delete capabilities across authorized platforms, such as chat.postMessage in Slack and delete_task in Sunsama, which could be leveraged if an indirect injection is successful.
- Sanitization: No sanitization or validation mechanisms are described for data fetched from external sources before interpolation into the agent context.
- [EXTERNAL_DOWNLOADS]: The skill documentation describes and demonstrates network communication with the Maton API gateway for connection management and request proxying.
- Evidence: Use of the gateway.maton.ai and ctrl.maton.ai domains across examples in SKILL.md and multiple provider README files. These domains are central to the skill's operation but are not included in the standard whitelist of trusted registries or platforms.
Audit Metadata