api-gateway
github.com/clawhub.ai/api-gateway
Scanned Thu, 28 May 2026 15:31:14 GMT
Scan ID crawl-snqju1eag8kg63spqo1bhtun · 8ms
C
SCORE 55 / 100
Verdict: Proceed with caution
7 medium findings.
This skill ships without a capability manifest plus 6 other issues listed below.
0 critical0 high7 medium5 rules passed
Why grade C?
score · 55 / 100The current grade reflects 7 medium findings (6+ MEDs → C).
0 CRIT0 HIGH7 MED0 LOW
To reach a higher grade
- BReach Btarget score 75
Resolve 2 of 7 MED (cap is 5).
- AReach Atarget score 95
Resolve 5 of 7 MED (cap is 2).
Thresholds are documented at /docs/grading. Source-of-truth is the grade() function in @skillox/scanner.
Findings · ordered by severity
medNo capability manifest declaredThe skill ships without a `manifest.yaml` or `capabilities` block in its frontmatter. Without a manifest, the runtime cannot enforce what this skill is permitted to do.rule: no-manifest▾
No capability manifest declared
The skill ships without a `manifest.yaml` or `capabilities` block in its frontmatter. Without a manifest, the runtime cannot enforce what this skill is permitted to do.
rule:
no-manifestmedLink text shows "cal.com" but points at github.comThe visible link text contains the domain `cal.com`, but the URL actually targets `github.com`. This is a phishing/smuggling pattern — the reader sees one host, the agent fetches another. Either update the text or the URL so they match.▾
Link text shows "cal.com" but points at github.com
The visible link text contains the domain `cal.com`, but the URL actually targets `github.com`. This is a phishing/smuggling pattern — the reader sees one host, the agent fetches another. Either update the text or the URL so they match.
463- [Buffer](https://github.com/maton-ai/api-gateway-skill/tree/main/references/buffer/README.md) - Social media posts, channels, organizations, scheduling
464- [Calendly](https://github.com/maton-ai/api-gateway-skill/tree/main/references/calendly/README.md) - Event types, scheduled events, availability, webhooks
465- [Cal.com](https://github.com/maton-ai/api-gateway-skill/tree/main/references/cal-com/README.md) - Event types, bookings, schedules, availability slots, webhooks← text→cal.com · href→github.com
466- [CallRail](https://github.com/maton-ai/api-gateway-skill/tree/main/references/callrail/README.md) - Calls, trackers, companies, tags, analytics
467- [Chargebee](https://github.com/maton-ai/api-gateway-skill/tree/main/references/chargebee/README.md) - Subscriptions, customers, invoices
medLink text shows "fal.ai" but points at github.comThe visible link text contains the domain `fal.ai`, but the URL actually targets `github.com`. This is a phishing/smuggling pattern — the reader sees one host, the agent fetches another. Either update the text or the URL so they match.▾
Link text shows "fal.ai" but points at github.com
The visible link text contains the domain `fal.ai`, but the URL actually targets `github.com`. This is a phishing/smuggling pattern — the reader sees one host, the agent fetches another. Either update the text or the URL so they match.
481- [Eventbrite](https://github.com/maton-ai/api-gateway-skill/tree/main/references/eventbrite/README.md) - Events, venues, tickets, orders, attendees
482- [Exa](https://github.com/maton-ai/api-gateway-skill/tree/main/references/exa/README.md) - Neural web search, content extraction, similar pages, AI answers, research tasks
483- [fal.ai](https://github.com/maton-ai/api-gateway-skill/tree/main/references/fal-ai/README.md) - AI model inference (image generation, video, audio, upscaling)← text→fal.ai · href→github.com
484- [Facebook Page](https://github.com/maton-ai/api-gateway-skill/tree/main/references/facebook-page/README.md) - Pages, posts, comments, insights, photos, videos, product catalogs
485- [Fathom](https://github.com/maton-ai/api-gateway-skill/tree/main/references/fathom/README.md) - Meeting recordings, transcripts, summaries, webhooks
medLink text shows "monday.com" but points at github.comThe visible link text contains the domain `monday.com`, but the URL actually targets `github.com`. This is a phishing/smuggling pattern — the reader sees one host, the agent fetches another. Either update the text or the URL so they match.▾
Link text shows "monday.com" but points at github.com
The visible link text contains the domain `monday.com`, but the URL actually targets `github.com`. This is a phishing/smuggling pattern — the reader sees one host, the agent fetches another. Either update the text or the URL so they match.
539- [Microsoft Teams](https://github.com/maton-ai/api-gateway-skill/tree/main/references/microsoft-teams/README.md) - Teams, channels, messages, members, chats
540- [Microsoft To Do](https://github.com/maton-ai/api-gateway-skill/tree/main/references/microsoft-to-do/README.md) - Task lists, tasks, checklist items, linked resources
541- [Monday.com](https://github.com/maton-ai/api-gateway-skill/tree/main/references/monday/README.md) - Boards, items, columns, groups (GraphQL)← text→monday.com · href→github.com
542- [Motion](https://github.com/maton-ai/api-gateway-skill/tree/main/references/motion/README.md) - Tasks, projects, workspaces, schedules
543- [Netlify](https://github.com/maton-ai/api-gateway-skill/tree/main/references/netlify/README.md) - Sites, deploys, builds, DNS, environment variables
medLink text shows "pdf.co" but points at github.comThe visible link text contains the domain `pdf.co`, but the URL actually targets `github.com`. This is a phishing/smuggling pattern — the reader sees one host, the agent fetches another. Either update the text or the URL so they match.▾
Link text shows "pdf.co" but points at github.com
The visible link text contains the domain `pdf.co`, but the URL actually targets `github.com`. This is a phishing/smuggling pattern — the reader sees one host, the agent fetches another. Either update the text or the URL so they match.
547- [OneDrive](https://github.com/maton-ai/api-gateway-skill/tree/main/references/one-drive/README.md) - Files, folders, drives, sharing
548- [Outlook](https://github.com/maton-ai/api-gateway-skill/tree/main/references/outlook/README.md) - Mail, calendar, contacts
549- [PDF.co](https://github.com/maton-ai/api-gateway-skill/tree/main/references/pdf-co/README.md) - PDF conversion, merge, split, edit, text extraction, barcodes← text→pdf.co · href→github.com
550- [Pipedrive](https://github.com/maton-ai/api-gateway-skill/tree/main/references/pipedrive/README.md) - Deals, persons, organizations, activities
551- [Podio](https://github.com/maton-ai/api-gateway-skill/tree/main/references/podio/README.md) - Organizations, workspaces, apps, items, tasks, comments
medLink text shows "systeme.io" but points at github.comThe visible link text contains the domain `systeme.io`, but the URL actually targets `github.com`. This is a phishing/smuggling pattern — the reader sees one host, the agent fetches another. Either update the text or the URL so they match.▾
Link text shows "systeme.io" but points at github.com
The visible link text contains the domain `systeme.io`, but the URL actually targets `github.com`. This is a phishing/smuggling pattern — the reader sees one host, the agent fetches another. Either update the text or the URL so they match.
567- [Sunsama MCP](https://github.com/maton-ai/api-gateway-skill/tree/main/references/sunsama-mcp/README.md) - MCP-based interface for tasks, calendar, backlog, objectives, time tracking
568- [Supabase](https://github.com/maton-ai/api-gateway-skill/tree/main/references/supabase/README.md) - Database tables, auth users, storage buckets
569- [Systeme.io](https://github.com/maton-ai/api-gateway-skill/tree/main/references/systeme/README.md) - Contacts, tags, courses, communities, webhooks← text→systeme.io · href→github.com
570- [Tally](https://github.com/maton-ai/api-gateway-skill/tree/main/references/tally/README.md) - Forms, submissions, workspaces, webhooks
571- [Tavily](https://github.com/maton-ai/api-gateway-skill/tree/main/references/tavily/README.md) - AI web search, content extraction, crawling, research tasks
medLink text shows "wordpress.com" but points at github.comThe visible link text contains the domain `wordpress.com`, but the URL actually targets `github.com`. This is a phishing/smuggling pattern — the reader sees one host, the agent fetches another. Either update the text or the URL so they match.▾
Link text shows "wordpress.com" but points at github.com
The visible link text contains the domain `wordpress.com`, but the URL actually targets `github.com`. This is a phishing/smuggling pattern — the reader sees one host, the agent fetches another. Either update the text or the URL so they match.
584- [WhatsApp Business](https://github.com/maton-ai/api-gateway-skill/tree/main/references/whatsapp-business/README.md) - Messages, templates, media
585- [WooCommerce](https://github.com/maton-ai/api-gateway-skill/tree/main/references/woocommerce/README.md) - Products, orders, customers, coupons
586- [WordPress.com](https://github.com/maton-ai/api-gateway-skill/tree/main/references/wordpress/README.md) - Posts, pages, sites, users, settings← text→wordpress.com · href→github.com
587- [Wrike](https://github.com/maton-ai/api-gateway-skill/tree/main/references/wrike/README.md) - Tasks, folders, projects, spaces, comments, timelogs, workflows
588- [Xero](https://github.com/maton-ai/api-gateway-skill/tree/main/references/xero/README.md) - Contacts, invoices, reports
skillox.io/r/crawl-snqju1eag8kg63spqo1bhtun