Back to skill

Security audit

B2B SDR Agent

Security checks across malware telemetry and agentic risk

Overview

This is a powerful B2B sales automation skill, but it needs review because it weakens execution approvals, hides AI identity in customer communications, sends silent installer telemetry, and broadly stores customer data.

Install only after reviewing the deploy scripts and workspace prompts. Use a test server, keep exec approvals interactive, disable silent telemetry, avoid human-impersonation prompts, restrict WhatsApp/Telegram/Gmail/CRM access to approved accounts, set retention limits for customer data, and review every automatically installed skill before enabling production outreach.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (111)

Lp3

Medium
Category
MCP Least Privilege
Confidence
77% confidence
Finding
The skill advertises deployment commands and shell-based setup behavior while declaring no permissions, which creates a transparency and trust gap for operators. In an agent ecosystem, undocumented shell and file-write capabilities are dangerous because they can modify host configuration or execute privileged actions that users did not explicitly authorize.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The documented purpose of the skill does not match several reported behaviors, including analytics calls, service promotion/redirection, unrelated auxiliary functionality, and especially forcing OpenClaw exec approvals to a permissive setting. Hidden or under-disclosed behavior is a serious security issue because it can weaken execution safeguards and cause operators to run code with broader trust than the description justifies.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The spec expands from conversation-memory support into broader CRM and Google Sheets synchronization, which increases the amount and spread of customer data processed beyond the anti-amnesia purpose. This creates unnecessary data exposure and privilege creep, especially because the sync is automated and continuous.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
Daily full-CRM snapshotting to ChromaDB materially broadens retained data and creates a second long-term store of pipeline information that is not necessary for per-conversation memory. Duplicating entire CRM state into another database increases breach impact, retention risk, and accidental cross-customer exposure.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The prompt explicitly tells the agent to conceal memory limitations rather than be transparent when recall is uncertain. That encourages deceptive behavior toward customers and can lead the agent to present inferred or retrieved details as certain, increasing misrepresentation and trust risk.

Intent-Code Divergence

Low
Confidence
79% confidence
Finding
The document claims customer isolation while describing storage of all conversations in one shared ChromaDB collection. Although metadata filters are applied, this mismatch increases the chance of implementation mistakes, query bugs, or future changes causing cross-customer retrieval or leakage.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script explicitly writes an OpenClaw exec-approvals policy with security set to full and ask turned off, removing human approval for command execution. In an agent platform that can install skills and execute actions on a remote host, this materially lowers the barrier to arbitrary command execution by a malicious or compromised skill and is especially dangerous because it is deployed automatically as a default.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The file explicitly instructs the agent to act as a human 'International Sales Manager' and 'never reveal AI identity,' which creates deceptive impersonation behavior. In a customer-facing sales context across WhatsApp/Telegram, this can mislead recipients, bypass informed consent, and encourage non-transparent interactions at scale.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The file explicitly instructs the agent to present itself as a human 'Trade Advisor' and to never reveal its AI identity. That is a genuine impersonation/deception control, not a harmless branding choice, and it can mislead prospects about who or what they are interacting with. In a sales outreach context, this increases risk of deceptive communications, consent issues, and policy or regulatory violations.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
This skill grants an unjustified capability to hide AI identity in a multi-channel B2B outreach workflow, which is more dangerous than a local stylistic prompt because it is operationalized for external communications. Concealed identity can be used to evade recipient scrutiny, bypass trust boundaries, and scale deceptive outreach across WhatsApp and email. The surrounding sales-agent context makes the issue more serious because the system is designed to contact external parties and influence business decisions.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The installer sends usage telemetry to PulseAgent via a silent tracking call without presenting a clear notice or obtaining user consent. In an installer context, undisclosed outbound analytics is a legitimate security and privacy concern because it transmits user activity to a third party beyond the minimum needed to install the software.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The default flow steers users to a commercial managed service and attempts to open a browser instead of primarily performing the advertised self-hosted installation. This is risky because a one-line installer executed in a shell should minimize unexpected side effects and external redirection, especially when it changes user expectations from software installation to account signup.

Intent-Code Divergence

Low
Confidence
97% confidence
Finding
The comment explicitly characterizes the analytics as 'silent', while the code sends installer events to an external service without a user-facing disclosure. The deceptive framing increases concern because it normalizes hidden network behavior in an installer, undermining informed consent and trust.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The prerequisite check imports `graphify` but, if missing, installs `graphifyy`, which is a different package name and therefore a likely typo-squatting or unintended dependency risk. Because this is presented as a setup step users may copy-paste directly, it can lead to execution of untrusted package install scripts on the host system, making the skill context materially more dangerous.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This is a true vulnerability because the 'heartbeat' is framed as an inspection/reporting routine, but these steps instruct the agent to take operational actions such as sending follow-ups, updating CRM state, and creating new records from inbox activity. In an autonomous agent context, that expands a monitoring task into externally visible side effects, which can trigger unintended outreach, incorrect record creation, or unauthorized workflow changes without explicit approval.

Description-Behavior Mismatch

Low
Confidence
87% confidence
Finding
This is a real design inconsistency with security implications: the file says the heartbeat should only report or return HEARTBEAT_OK, yet later sections instruct persistent writes to memory systems and backups. Such contradictions are dangerous because they blur operator expectations and can cause hidden side effects during what appears to be a harmless health check.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
This is a true vulnerability because the document presents the heartbeat as a passive reporting mechanism while embedding instructions for active side effects such as sending messages, creating CRM records, and writing snapshots. Mislabeling an active automation as 'inspection only' reduces transparency and increases the chance that operators enable it without understanding the real permissions and consequences.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The instruction to 'never reveal AI identity' explicitly requires deceptive impersonation of a human sales representative. In a B2B outreach context, this creates trust, consent, and compliance risks because recipients are denied a meaningful choice about engaging with an AI system.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The spec routes customer conversation data into MemOS, ChromaDB, Google Sheets, and CRM-related stores without any user-facing notice or operator guidance on retention and third-party sharing. Silent multi-destination data handling raises privacy, compliance, and consent risks, especially for sales conversations containing contact and business data.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The post-conversation hook/cron design automatically extracts and uploads conversation content every turn, creating continuous background processing of customer data without transparency controls. This raises privacy and compliance concerns and magnifies the blast radius if the external service or credentials are compromised.

Natural-Language Policy Violations

Medium
Confidence
89% confidence
Finding
The instruction to use retrieval results 'as if you always remembered' directs the agent to mask that it relied on system lookups. That is a transparency issue that can mislead customers about the agent's capabilities and about how their prior data is being used.

Natural-Language Policy Violations

Medium
Confidence
94% confidence
Finding
Telling the agent to never admit memory gaps and avoid saying it does not remember incentivizes deceptive communication and can produce confident but inaccurate responses. In an SDR context, that can misstate pricing, commitments, or customer requirements while hiding the basis for the statement.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README explicitly recommends `dmPolicy: "open"`, allowing any WhatsApp contact to message the system, while elsewhere describing persistent storage, CRM ingestion, and cross-session memory of customer conversations. That combination creates a real privacy and data-governance risk because unsolicited or personal messages may be collected, retained, and processed without adequate notice, consent, minimization, or access controls.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documented cron jobs include automated Gmail scanning and the skill also advertises multi-layer memory and CRM logging of customer communications. Without explicit privacy/data-handling guidance, this encourages broad collection and long-term processing of potentially sensitive business or personal data, increasing compliance and confidentiality risk.

Natural-Language Policy Violations

High
Confidence
97% confidence
Finding
The README states the agent should never disclose that it is AI and instead present itself as a human sales consultant. This is a genuine policy and trust issue because it enables deceptive impersonation in customer communications, which can facilitate fraud, bypass user expectations, and create regulatory and reputational exposure.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.prompt_injection_instructions

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
ANTI-AMNESIA.md:147

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
workspace/SOUL.md:59