ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

OKKI Email Sync

v1.0.0

Synchronize email activities and quotation events with OKKI CRM as follow-up trail records. Automatically matches emails to CRM customers via domain lookup a...

0· 46·1 current·1 all-time
byJaden's built a claw@cjboy007
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (sync emails/quotations to OKKI CRM) aligns with what the JS module does: domain matching, vector search fallback, deduplication, and calling an OKKI CLI to create trails. Nothing in the code attempts unrelated cloud access or surprising capabilities. However the SKILL.md expects external local tooling (OKKI CLI, vector search script) and environment variables even though the registry declares no required env vars — a mismatch worth noting.
Instruction Scope
Runtime instructions and the JS code stay within the described scope: they extract domains, optionally call a local vector-search Python script, call a local OKKI CLI (via python), and log unmatched items and processed UIDs to /tmp files. A notable behavior: the SKILL.md instructs you to copy the module into other skill workspaces (e.g., imap-smtp-email, quotation-workflow) so it becomes part of those skills' runtime; that modifies other skills' codebase and broadens the effective scope of this module. There are no explicit instructions to send data to unknown remote endpoints in the provided code (it relies on local CLI/scripts), but those external scripts/CLI could network‑contact remote APIs — verify them.
Install Mechanism
No install script or remote downloads are used; the skill is instruction+source only. That lowers risk: nothing will be fetched from arbitrary URLs. The JS file executes local Python and a local okki.py script via execFile, which is expected for this integration.
!
Credentials
The registry shows no required environment variables, but SKILL.md and the code expect several environment/config overrides (OKKI_CLI_PATH, VECTOR_SEARCH_PATH, PYTHON_VENV_PATH, OKKI_SYNC_RECORD_FILE). The module also inherits process.env when launching subprocesses. While no explicit API keys are declared in requires.env, the OKKI CLI likely needs credentials configured elsewhere — you should confirm where OKKI credentials are stored and that they are scoped appropriately before use.
!
Persistence & Privilege
The skill does not set always:true and is user-invocable (normal). Still, it is designed to be copied into and run from other skills' directories (it even documents copying/overwriting okki-sync.js into other skill workspaces). This practice modifies other skill code/configuration and increases blast radius if the module or the local CLI/scripts are malicious. It also writes state to /tmp files (processed records and unmatched logs) — benign in itself but persistent across runs on the host.
What to consider before installing
This module appears to implement the advertised OKKI CRM sync, but confirm the following before installing or integrating: 1) Verify the local OKKI CLI (okki.py) and the vector-search Python script are legitimate, review their code, and confirm where OKKI credentials are stored. 2) Supply and lock down the environment variables (OKKI_CLI_PATH, VECTOR_SEARCH_PATH, PYTHON_VENV_PATH, OKKI_SYNC_RECORD_FILE) rather than relying on defaults. 3) Back up any target skill files before copying this module into other skills — the SKILL.md recommends copying the file into other skill directories which will modify their code. 4) Run the module in a controlled environment (sandbox or staging) to observe network activity from the OKKI CLI and vector-search script. 5) If you cannot review the referenced Python scripts/CLI, avoid integrating the module into production systems because it will execute local subprocesses with access to environment and workspace data.
scripts/okki-sync.js:63
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c6t4z7qtnqe17wwgd33hm9d83q3js

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments