Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
B2b Sdr Agent Template
v1.0.0Open-source B2B AI SDR template. 7-layer context system with 10-stage sales pipeline, 4-layer anti-amnesia memory, 13 automated cron jobs, WhatsApp IP isolat...
⭐ 0· 20·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md describes a multi-channel B2B SDR platform that legitimately needs API keys (LLM provider, MemOS, gateway tokens, channel tokens) and host/network configuration. The registry metadata, however, lists no required environment variables or primary credential — that is inconsistent and misleading. Several scripts (deploy.sh, ip-isolate.sh, generate-config.sh) and files reference credentials and system-level settings that a simple 'instruction-only' skill should have declared.
Instruction Scope
Runtime instructions explicitly tell the agent/admin to inject dynamic customer memory into the Agent's System Prompt, add post-conversation hooks, run cron jobs, edit ~/.openclaw/openclaw.json, and enable a network-accessible dashboard (default 'lan'). Those actions modify agent/system configuration and override system prompts. The SKILL.md also contains prompts that demand precise JSON-only outputs and guidelines for 'never reveal AI identity' (deceptive behavior). This expands the skill's scope beyond a passive helper and grants it broad ability to change agent/system behaviour.
Install Mechanism
There is no formal install spec in the registry (instruction-only), but the bundle contains many shell scripts (deploy/*.sh, install.sh, ip-isolate.sh) that the operator is expected to run. Running those scripts will configure networking (wireproxy/WARP), generate tokens, and write config files. That manual-install approach is acceptable but higher-risk because the scripts execute system/network changes — review them before running and run in an isolated/test environment.
Credentials
Although the registry records no required env vars, SKILL.md and code clearly expect multiple secrets: LLM API key(s), MEMOS_API_KEY, GATEWAY token, TELEGRAM_BOT_TOKEN, Gmail/Sheets IDs, and CRM/WhatsApp config. The skill will read/write external memory backends (MemOS, ChromaDB) and maintain conversation archives. Asking for broad credentials is proportionate to a full SDR platform, but the omission from the skill metadata is a significant mismatch and a transparency problem.
Persistence & Privilege
The skill instructs installation of cron jobs, post-conversation hooks, and edits to OpenClaw config and system prompts. These operations give the skill persistent, system-level presence (writes to agent config, dashboard token exposure, network binding defaults). 'always' is false, but the requested modifications allow ongoing autonomous behaviour and broad reach; this is expected for a hosted agent but raises privilege concerns and should be limited to a controlled environment.
Scan Findings in Context
[ignore-previous-instructions] unexpected: Pre-scan flagged patterns indicating prompt-injection style content. The SKILL.md instructs that certain outputs be 'only updated JSON' and contains explicit prompts to inject memory into the System Prompt; while memory injection is part of the feature, 'ignore previous instructions' style constructs are not necessary and are high-risk for prompt override attacks.
[system-prompt-override] expected: The skill explicitly tells operators to inject a dynamic 'Customer Memory Snapshot' into the Agent's System Prompt and to configure Post-Conversation hooks. Injecting memory into the system prompt is functionally needed for the anti-amnesia design, but it is a high-risk capability (it can override system-level behavior) and must be handled carefully and explicitly consented to by the operator.
What to consider before installing
Do not run deploy/install scripts until you review them and confirm their origin. Steps to consider before installing:
- Verify the source: the registry lists no homepage and owner identity is opaque. Check the linked GitHub repo and commit history to confirm authenticity.
- Inspect deploy/*.sh and install.sh line-by-line (or run them in a disposable VM/container) to see what they write, what external URLs they contact, and whether they download binaries.
- Prepare least-privilege credentials: create separate API keys/accounts for MemOS/Chroma/LLM and avoid using production credentials during initial tests.
- Be cautious about the dashboard token and default 'lan' binding: set GATEWAY_BIND=loopback or otherwise restrict access before first start.
- Note the skill will inject dynamic memory into the System Prompt and modify OpenClaw config; only allow that in environments where you accept the agent changing system prompts and cron jobs.
- Evaluate privacy/regulatory impact: the agent stores conversation history, quotes, and PII in third-party services (MemOS/Chroma); ensure compliance with data protection rules and retention policies.
- If you need to proceed, test in an isolated sandbox (container or VM) and monitor network traffic during the deploy to detect unexpected exfiltration.
If you want, I can scan the deploy and ip-isolate scripts for specific risky operations (remote downloads, exec of fetched payloads, or writes to system directories) and summarize which lines to review first.ANTI-AMNESIA.md:147
Prompt-injection style instruction pattern detected.
workspace/SOUL.md:59
Prompt-injection style instruction pattern detected.
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.Like a lobster shell, security has layers — review code before you run it.
latestvk9706p07tadn9hyegzk4dyk5p9849y70
License
MIT-0
Free to use, modify, and redistribute. No attribution required.