ClawHub

B2b Sdr Agent Template

Security checks across malware telemetry and agentic risk

Overview

This is a powerful sales-agent deployment package with disclosed SDR features, but it also weakens execution safeguards, stores customer conversations long-term, and tells the agent to hide that it is AI.

Review this carefully before installing, especially on a production server. Do not run the deploy script unless you accept root-level OpenClaw configuration changes, disabled exec prompts, broad skill installation, persistent customer-data storage, and network-exposed dashboard defaults. Remove or change the AI-identity concealment and memory-concealment prompts, disable silent telemetry, restrict inbound/contact policies, set dashboard binding to loopback or a protected reverse proxy, and define retention/deletion controls before using it with real customers.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (105)

Lp3

Medium
Category
MCP Least Privilege
Confidence
82% confidence
Finding
The skill advertises deployment and isolation scripts that imply shell execution and file modification, yet the skill declares no permissions. That mismatch weakens user consent and review, because operators may install or run a package with broader capabilities than the manifest communicates.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The documented purpose presents a sales-agent template, but the analyzed behavior includes remote server configuration, approval bypassing, analytics/tracking, external SaaS promotion, arbitrary bundle installation, and upstream monitoring. This mismatch is dangerous because reviewers may trust the benign description while the package performs materially broader and more privileged actions that increase supply-chain, privacy, and system-integrity risk.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The spec explicitly instructs the agent to conceal memory gaps and present retrieved historical data as if it always remembered. That is a deceptive behavior pattern that can mislead customers about the nature of the interaction and provenance of the information, increasing trust manipulation risk in a sales context.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The system prompt says the agent must never admit memory limitations and should mask uncertainty with a natural-sounding fallback. In a customer-facing SDR workflow, this creates intentional deception and can cause the agent to state unverified or inferred facts with undue confidence.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script explicitly writes OpenClaw exec approvals with security set to full and prompts disabled, enabling unrestricted unattended command execution on the deployed host. In an agent framework that can install skills and run gateway services, this materially expands the blast radius from SDR automation into arbitrary system command execution if a skill, prompt, or dependency is compromised.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The deployment accepts EXTRA_SKILLS from configuration and installs them with --force --no-input, allowing silent expansion of agent capabilities beyond the declared SDR profile. In this ecosystem, additional skills may introduce new tools, network access, or code paths that operators did not review, increasing supply-chain and overprivilege risk.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The installer silently sends usage telemetry to a third-party service without a clear opt-in or prominent disclosure. In a shell installer, undisclosed network beacons are risky because they leak execution metadata and normalize hidden external communication beyond the expected installation behavior.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The script diverts users into a managed SaaS signup path and attempts to open the external signup URL in a browser rather than limiting itself to local installation. While not code execution by itself, this is a trust and security concern because an installer for open-source software is performing promotional redirection and external navigation that users may not expect.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs a covert workflow where customer-facing English messages are paired with a hidden Chinese self-chat translation and says to never mention this to the customer. That introduces deceptive behavior and undisclosed secondary handling of customer content, which is risky in a sales automation context where trust and consent matter.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The rule forbidding 'As an AI...' or any AI disclosure is an explicit instruction to conceal the automated nature of the interaction. In a B2B sales setting, this can mislead prospects about who or what they are interacting with and can create compliance, trust, and policy risks.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The instruction to 'never reveal AI identity' is a deliberate concealment requirement that misrepresents the nature of the agent to customers. In a B2B sales setting this can undermine informed consent, create compliance and trust risks, and encourage deceptive interactions at scale.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The document describes persistent storage across MemOS, ChromaDB, CRM snapshots, and Google Sheets, but does not include a clear user-facing warning, consent model, or data handling notice. This creates a transparency and privacy-risk gap because customer conversation data is being replicated across several external systems.

Natural-Language Policy Violations

Medium
Confidence
97% confidence
Finding
The prompt directs the agent to conceal recall failure rather than be honest about uncertainty. This undermines transparency, can mislead customers into overtrusting the agent, and is especially problematic in a sales workflow where prior quotes, commitments, and terms may materially affect decisions.

Natural-Language Policy Violations

Medium
Confidence
87% confidence
Finding
The changelog documents behavior that forces customer-facing responses into English and sends Chinese translations and owner reports through self-chat by default, without any mention of notice, consent, or configuration gating. In a sales/messaging agent, silently transforming user communications and duplicating message content into another channel increases privacy, compliance, and transparency risk, especially when customer data may be processed or relayed in ways users do not expect.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly recommends accepting WhatsApp messages from all contacts by default and frames it as the recommended configuration for sales. This creates an unnecessarily broad inbound surface for spam, abuse, prompt-injection attempts, harassment, and accidental collection of personal data without strong warning or compensating controls.

Natural-Language Policy Violations

High
Confidence
98% confidence
Finding
The documentation instructs the agent to never disclose that it is an AI and to present itself as a human sales consultant. That is deceptive by design and can facilitate fraud, social engineering, and unlawful or noncompliant outreach, especially in sales contexts where identity transparency matters.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README describes automated Gmail scanning, multichannel messaging, and broad customer data capture without pairing those capabilities with clear privacy, consent, retention, or third-party data handling safeguards. In a sales automation context, this can lead operators to deploy collection and processing of personal/business contact data in ways that violate privacy expectations, internal policy, or applicable regulations.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation recommends an open WhatsApp DM policy and multichannel automation for real contacts without strong warnings about spam, unsolicited outreach, or unintended autonomous actions. In this skill's context, that increases the chance of mass messaging or engagement with real users without consent, which can cause account bans, complaints, and legal/compliance exposure.

Natural-Language Policy Violations

High
Confidence
97% confidence
Finding
The README explicitly states the agent should never reveal it is an AI and instead present itself as a human sales consultant. This is deceptive by design and is especially risky in a sales setting, where users may rely on the representation when deciding whether to engage, share data, or negotiate terms.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README describes broad automated collection, enrichment, scoring, storage, and monitoring of prospect/customer data across channels without clear privacy disclosures, consent boundaries, retention limits, or jurisdictional compliance guidance. In a sales automation context, this can normalize over-collection of personal and business-contact data and lead operators to deploy workflows that violate privacy expectations or regulations.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The documentation promotes automated multichannel outreach and follow-up sequences without prominent warnings about spam, platform-policy violations, rate limits, or account suspension risk. Because this is an SDR template intended for production use, operators may treat aggressive unsolicited automation as endorsed behavior and expose both recipients and accounts to abuse or blocking.

Natural-Language Policy Violations

High
Confidence
95% confidence
Finding
The README explicitly instructs the agent to never reveal its AI identity and to present itself as a human sales consultant, which is deceptive by design. In a customer-facing sales skill, this materially increases the risk of fraud, social engineering, and noncompliance with emerging AI transparency requirements because recipients cannot make an informed choice about interacting with an automated system.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README promotes end-to-end lead capture and automated CRM handling across WhatsApp, Telegram, and Email, but does not prominently disclose that contact details and conversation content will be collected, processed, and stored. In a sales-agent context, this omission creates privacy, consent, and compliance risk because operators may deploy the system without informing leads that their data is being retained and analyzed.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This section advertises automatic lead discovery, enrichment, CRM entry, and cross-session memory capture, all of which imply systematic collection and persistence of personal and business data. Because the README frames these as turnkey features without a strong warning about storage, lawful basis, and retention, it increases the likelihood of silent mass profiling and non-compliant data processing.

Missing User Warnings

High
Confidence
98% confidence
Finding
The anti-amnesia architecture explicitly claims the agent will retain all customers, quotes, and commitments across long periods and restarts, but it does not pair that with explicit warnings about retention of customer communications. Persistent storage of full conversations, commitments, and CRM snapshots materially raises privacy and breach impact because sensitive commercial discussions can be reconstructed long after the original interaction.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal