Back to skill

Security audit

Salesforce Skill

Security checks across malware telemetry and agentic risk

Overview

This Salesforce skill appears purpose-built for CRM management, but it grants broad read, write, delete, bulk, and arbitrary-query access without clear safety gates.

Install only with a least-privilege Salesforce account, preferably in a sandbox first. Treat the access token as a secret, avoid exposing command output in shared logs, and require explicit human confirmation before any update, delete, bulk import, bulk export, or arbitrary SOQL query against production data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The utility commands `query` and `query-json` allow arbitrary SOQL to be executed against the connected Salesforce org, far exceeding the script’s otherwise structured helper role. In an agent/skill context, this enables unrestricted retrieval of CRM data and schema information, which can expose sensitive records, relationships, and metadata if invoked by an untrusted prompt or workflow.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README advertises create, update, delete, and bulk import/export operations against Salesforce data without any warning about destructive actions, confirmation requirements, backups, or least-privilege use. In a chat-driven agent context, this increases the risk of accidental or misunderstood commands causing unauthorized data modification, deletion, or large-scale data changes.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill description is broadly scoped to 'CRM data' and 'Salesforce operations,' which can cause the agent to activate for many ordinary requests without clear limits on read vs. write actions. In a system that can query, create, update, and delete production CRM records, overly broad activation increases the chance of unnecessary access or unintended destructive actions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill includes direct record deletion and bulk deletion examples, but it does not clearly require confirmation, dry-run validation, or safeguards before destructive execution. In a CRM context, accidental or overly broad deletion can cause immediate business-impacting data loss affecting leads, contacts, or other customer records.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation instructs use of a Salesforce access token from an environment variable without any warning about credential sensitivity, logging exposure, shell history, or downstream privacy impact. Because the token grants API access to CRM data and operations, careless handling could expose customer data or permit unauthorized record changes.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
These commands retrieve and display customer contact and opportunity data, including names, emails, phone numbers, owners, and account details, without any minimization or warning. In a skill setting, this increases the chance of unnecessary exposure of PII and business-sensitive CRM data through terminal output, logs, or downstream agent handling.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script performs create and update operations against Salesforce records directly from command arguments, with no confirmation step, dry-run mode, or guardrails around write effects. In an agent context, mistaken or prompt-induced invocations could alter production CRM data, create fraudulent records, or corrupt pipeline, case, lead, or task information.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.