ClawHub

Follow-up Engine (CRM Automation)

Security checks across malware telemetry and agentic risk

Overview

This CRM follow-up skill is mostly coherent, but it can repeatedly write customer follow-up records into OKKI and store customer data without a clearly enforced review, rollback, or containment boundary.

Install only if you intend to let this skill use your OKKI CRM access and create follow-up records. Start with dry-run mode, verify the OKKI CLI path and account permissions, protect drafts and logs because they may contain customer data, and do not enable the cron examples until you have a clear review and rollback process for generated CRM records.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill documents use of environment variables such as OKKI_CLI_PATH, DISCORD_BOT_TOKEN, and DISCORD_CHANNEL_ID, but no explicit permission model is declared. Undeclared access to environment-sourced secrets and executable paths increases the risk of hidden secret use, privilege expansion, and unsafe execution assumptions by downstream agents or runners.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The public description presents a configurable generic CRM integration, but the documented behavior is tightly coupled to OKKI, including customer identity resolution and use of an external OKKI Python CLI. This mismatch can mislead operators about what systems are accessed and what data processing occurs, undermining consent, review, and least-privilege deployment decisions.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The README claims automatic sending is strictly forbidden, but earlier configuration shows `require_wilson_approval_for_sending` as a configurable setting rather than an enforced invariant. This mismatch can create unsafe operator assumptions: users may trust that no autonomous sending is possible when the implementation or configuration could allow it, leading to unauthorized outbound emails or policy violations.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The cron examples redirect raw script output to /tmp log files, while the security section claims sensitive customer data is redacted without showing any sanitization step. If scripts emit emails, company names, or API errors containing PII, those values may be exposed in world-readable or weakly protected temporary logs.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The test script references hard-coded absolute paths in a specific developer's home directory and checks for resources outside the skill boundary, including another local skill and a local OKKI CLI checkout. This creates environment disclosure and unintended trust coupling to external local components; in a real CI or shared workstation context, it can leak filesystem layout, encourage unsafe assumptions about neighboring code, and make tests pass or fail based on undeclared external dependencies rather than the skill itself.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal