ClawHub

Breakcold

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent Breakcold CRM automation skill, but it can read sensitive inbox and CRM data and make broad automatic CRM changes with limited per-run confirmation.

Install only if you want an agent to actively operate Breakcold on your behalf. Before running it, confirm the exact workspace, workflow, batch size, and whether writes are allowed. Be especially careful with CRM setup/reorganization, scheduled routines, contact detection, and pipeline movement, because those can modify existing records or create new ones automatically.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (15)

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The document gives contradictory guidance about filtering: earlier it says the API does not support generic field filters and relies on saved views, but later it states `records_list` accepts request-body filter conditions. In an agent skill, contradictory API semantics can cause the agent to issue malformed calls, fall back unpredictably, or over-fetch and then perform unintended bulk actions on the wrong dataset.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill explicitly says that anything beyond the six named workflows is still in scope because the MCP exposes the full CRM surface. That broad activation scope can cause the agent to engage on loosely related prompts and perform CRM reads or writes the user did not clearly intend, increasing the chance of overreach and unintended data modification.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The routing table uses very broad, everyday-language triggers such as 'help me with Breakcold' or 'what can you do?', which can activate the skill from vague user utterances. In a multi-skill environment this raises the risk of accidental invocation, unintended tool use, and the agent steering into CRM operations without sufficiently specific user intent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs the agent to create custom activity 'breadcrumbs' for non-trivial automated decisions and explicitly says not to ask permission. This causes persistent writes to the user's CRM audit trail without notice at setup time, which can surprise users, clutter records, and create privacy or governance issues if internal reasoning is logged into business systems.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill directs the agent to scan a user's inbox across multiple channels and perform automatic CRM writes, but it does not require a clear upfront warning or explicit confirmation about the scope of data access and the consequences of modifying CRM records. This creates a privacy and integrity risk: users may not realize the agent will inspect broad communications history and auto-create or enrich contacts based on inferred criteria.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrases are very broad and can activate destructive CRM reorganization behavior from ordinary help-style requests like 'set up my CRM' or 'redo the pipeline.' In this skill, broad activation is risky because the workflow leads to real writes against CRM objects, fields, views, and records after only a single confirmation step.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill instructs the agent to scrape the user's website and infer ICP, sales motion, and business vocabulary, but does not present this as an explicit up-front disclosure or consent boundary. That creates a transparency and privacy issue: users may not realize external content will be collected and used to drive CRM schema decisions and downstream data changes.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill explicitly says to tell the user setup is done and then automatically perform a long background sweep updating existing records. This is dangerous because it authorizes silent, potentially large-scale modification of existing CRM data after the main confirmation point, increasing the chance of unintended data corruption, misclassification, or changes the user did not understand were still pending.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrases are broad enough to match ordinary CRM maintenance requests, which can cause this skill to activate in situations where the user did not clearly intend autonomous pipeline progression. In this skill's context, activation leads directly to record review and possible state changes, so ambiguous invocation increases the risk of unauthorized or surprising CRM updates.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill is designed to update CRM stages and create activities, but it does not consistently require an explicit user-facing warning that data will be modified. Because the workflow includes autonomous movement of deals, contacts, and companies based on heuristic interpretation of messages, users may unknowingly trigger bulk write operations with business-impacting consequences.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly instructs the agent to write notes, create activities, and update CRM fields, but it does not require a clear user-facing confirmation before modifying records. In a CRM context, ambiguous or accidental triggering could cause unwanted data changes at scale, including incorrect notes, field pollution, or deal-level propagation that users may trust as authoritative.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger list includes very broad, everyday phrases like "give me a report," "what's working," and "show me the numbers," which can match routine conversational requests outside the intended Breakcold reporting flow. In an agent environment, this can cause the skill to activate unexpectedly, leading to overbroad CRM/inbox data access and generation of reports the user did not clearly request.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
This section describes a canonical page-by-page loop that immediately decides and mutates records, including creating tasks or updating records, across batches. Although it mentions first-page confirmation for one-shot runs, it explicitly allows scheduled routines to run end-to-end without confirmation, which can enable large-scale unintended data modification if the workflow criteria are wrong or stale.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The guide instructs the agent to enumerate CRM objects, fields, stage options, view names, inbox views, and record samples to infer business type and reporting structure before assembling a report. That is broader-than-necessary workspace reconnaissance and can expose sensitive operational metadata and user-tracking patterns without an explicit user-facing disclosure, consent gate, or minimization rule.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
- **Page size:** every `inbox_conversations_search` / `inbox_conversations_list` / `records_list` call uses **`limit: 20`**. This is non-negotiable — larger pages exceed the inline payload threshold on common agent runtimes, get saved to a file, and trigger the model's confidence-loss cascade.
- **Main thread only:** every tool call runs directly in the agent's main thread. Do **not** invoke any sub-agent / task-delegation tool. Contact detection in particular is sensitive to this: sub-agents lose the cached duplicate-check state and may create the same record twice.
- **Small-batch first for one-shot runs:** process only the first 20 conversations of the cohort, decide and create, then surface results and ask the user "say *continue* to sweep the rest." Scheduled runs proceed end-to-end without confirmation.

1. **Discover** (cached): workspace, Person object, Person fields (especially email, LinkedIn, phone, company, source, status), existing Person records (you'll need them indexed for duplicate detection). Crucially, also pull the **user's CRM taxonomy** so you can evaluate category-fit (per the 95% confidence rule above):
   - Pipeline stage option labels via `crm_field_options_list` on the stage field.
Confidence
94% confidence
Finding
without confirmation

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal