Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
B2B SDR Agent
v3.4.0Open-source B2B AI SDR template. 7-layer context system with 10-stage sales pipeline, 4-layer anti-amnesia memory, 13 automated cron jobs, WhatsApp IP isolat...
⭐ 1· 172·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The SKILL.md and README describe multi-channel production deployment (WhatsApp/Telegram/email), Cloudflare WARP IP isolation, MemOS/ChromaDB memory, cron jobs, Gmail scanning and AI model API keys. The registry metadata, however, declares no required env vars, no binaries, and no config paths — a clear mismatch. Legitimate multi-tenant WhatsApp + MemOS + Cloudflare WARP deployments require API keys and account credentials that are not declared here.
Instruction Scope
Runtime instructions tell operators to run deploy scripts (deploy/deploy.sh, ip-isolate.sh), enable cron jobs, scan Gmail, and install post-conversation hooks that auto-extract and inject structured memory into the agent's System Prompt. Those instructions read and transmit conversation contents and ask to inject memory into system prompts — this is substantial scope (data collection, prompt modification, external API calls) beyond what the registry metadata suggested.
Install Mechanism
There is no formal install spec (instruction-only in registry), but the package includes many executable scripts (deploy/*.sh, skills/*/*.sh, .mjs files). That means the 'install' is manual: operators will run those scripts, which may download/configure system components and change network settings. Absence of an install manifest lowers transparency and increases operational risk because side effects are only visible by inspecting the scripts.
Credentials
SKILL.md and ANTI-AMNESIA.md explicitly reference many sensitive credentials (AI model API keys, MEMOS_API_KEY, Cloudflare/WARP config, Google Sheets IDs, Telegram tokens, WhatsApp credentials). Yet the registry lists none. The skill therefore requests broad secrets in practice but does not declare them as required fields — disproportionate and opaque.
Persistence & Privilege
The skill runs scheduled cron jobs, deploy scripts that configure per-tenant network proxies (Wireproxy -> WARP), and instructs injecting memory into System Prompt and/or Knowledge Base. While 'always' is false, these behaviors imply significant system presence and privileges (network configuration, scheduled tasks, persistent access to conversation data) that should be explicitly justified and controlled.
Scan Findings in Context
[ignore-previous-instructions] unexpected: Detected in SKILL.md/ANTI-AMNESIA content. Prompt-injection style directives (e.g., instructing the agent to import Markdown as a system-prompt supplement or auto-inject memory into the System Prompt) are present. While memory injection may be intentional for this product, patterns that override or append to the system prompt are high-risk and not expected for a simple template installer.
[system-prompt-override] unexpected: The documentation explicitly instructs adding dynamic 'Customer Memory Snapshot' sections to the System Prompt and recommends importing spec docs as System Prompt supplements. Modifying the agent's system prompt at runtime is powerful and can be abused; it should be carefully reviewed and restricted.
What to consider before installing
Do not run the provided deploy scripts or give secrets to this skill until you do the following checks: 1) Inspect deploy/deploy.sh, deploy/ip-isolate.sh and any scripts that write cron jobs or change network config to understand exactly what they do and which accounts/credentials they expect. 2) Confirm which API keys/tokens the skill will use (OpenAI/Anthropic/Google/Kimi, MEMOS_API_KEY, Cloudflare WARP, WhatsApp/Telegram tokens, Google Sheets ID) — the registry omitted these, so ask the author or review config.sh.example. 3) Treat the memory/system-prompt injection behavior as a security boundary change: decide whether you trust automatic injection of conversation memory into the agent's system prompt and audit the exact templates used. 4) If you want to test, run in an isolated VM/container with restricted network egress and limited credentials (use throwaway accounts), and avoid running as root. 5) Prefer managed hosting (PulseAgent) or ask the maintainer for a minimal 'dry-run' mode that does not enable cron jobs, network changes, or prompt injection. If you cannot verify scripts and required credentials, consider the skill suspicious and avoid deploying it to production systems.ANTI-AMNESIA.md:147
Prompt-injection style instruction pattern detected.
workspace/SOUL.md:36
Prompt-injection style instruction pattern detected.
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.Like a lobster shell, security has layers — review code before you run it.
latestvk97fbfwem9gppdysqd0ycjvwds844m83
License
MIT-0
Free to use, modify, and redistribute. No attribution required.