Security audit

freelancer-crm

Security checks across malware telemetry and agentic risk

Overview

This appears to be a genuine local freelancer CRM, but it stores WhatsApp settings locally and can send WhatsApp messages when configured.

Install only if you are comfortable with a local CRM that can read and update client records, store WhatsApp configuration in its folder, run a weekly digest trigger, install Python dependencies during setup, and send WhatsApp messages after approval. Protect config.json, avoid committing generated config or client files, and review recipients and message text before approving any send.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (7)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 94% confidence
Finding: The skill exposes powerful capabilities (`read`, `write`, `exec`, `web_fetch`) while the analysis indicates permissions are not explicitly and transparently declared in a security-oriented way. In practice this lets the skill read and modify local CRM data and execute shell commands, which increases the attack surface and can lead to unauthorized data access or system command execution if the skill is invoked in an unsafe context.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 91% confidence
Finding: The documented purpose understates the skill's actual behavior: interactive setup, package installation via pip, local state storage, record mutation, and test message sending all materially expand risk beyond a simple CRM digest tool. This mismatch is dangerous because users may authorize the skill without understanding that it can alter local files, install software, and initiate outbound messaging/network activity.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The README explicitly encourages users to interact in unrestricted natural language and says the agent will infer the correct command. That creates an overly broad activation surface where ambiguous or adversarial messages could trigger unintended CRM actions such as modifying records, generating outbound messages, or exposing client data, especially in a WhatsApp-driven interface where inputs are informal and unstructured.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The operational instructions encourage direct use of a local CLI over client data and imply reading `./clients.json`, but they do not clearly warn that these actions may read or modify sensitive client records. In a CRM context this is more dangerous because the underlying data likely contains private business contacts, invoices, and communication history, so silent file access and mutation can harm confidentiality and integrity.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script collects a WhatsApp API token and writes it into config.json in plaintext without any warning about sensitive handling, file permissions, or safer storage. This can expose long-lived credentials to other local users, backups, logs, or accidental source-control commits, enabling unauthorized use of the WhatsApp account.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The setup script automatically sends a live WhatsApp message immediately after configuration, without asking for explicit confirmation at that point. This causes an external side effect using the user's account and could disclose account readiness or trigger unintended outbound communication if the configuration is wrong or the user only wanted to save settings.

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The function sends WhatsApp messages immediately through a bridge with no confirmation, approval gate, rate limiting, or audit-visible consent check. In an autonomous CRM skill triggered on a cron schedule, this increases the risk of unsolicited outreach, spam, or accidental disclosure to the wrong recipient if upstream data is incorrect or manipulated.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal