Security audit

Salesforce Fast integrations

Security checks across malware telemetry and agentic risk

Overview

This Salesforce skill mostly matches its CRM purpose, but it also has high-impact Salesforce write and automation powers with incomplete safeguards and some overstated safety claims.

Install only if you are comfortable granting this skill live Salesforce read/write access and, for automation features, metadata-level authority. Use a dedicated least-privilege integration user, test bulk standardization and Flow deployment in a sandbox first, protect command output because it may include customer data, and do not rely on the documented encryption, timeout, non-blocking validation-rule, or rollback claims without independent controls.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (19)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill declares powerful capabilities in practice—environment access, file writes, network access, and shell execution—without any explicit permission model or narrowing of scope. This increases the chance of over-privileged execution and makes it harder for users or the platform to understand and constrain what the skill can do, especially given its ability to manipulate Salesforce data and local credentials.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 96% confidence
Finding: The documented purpose describes CRM data access and management, but the analyzed behavior reportedly extends into Salesforce administrative and deployment actions such as flow deployment, validation-rule creation, rollback, and disk writes. Hidden or under-disclosed admin capabilities are dangerous because users may authorize the skill expecting routine CRM operations while it can make broad configuration changes with lasting business impact.

Intent-Code Divergence

Medium

Confidence: 83% confidence
Finding: The documentation advertises one-click OAuth with automatic token receipt, but the setup shown relies on manual token and environment-variable handling. This kind of security-design inconsistency can mislead users about how secrets are obtained and stored, increasing the chance of unsafe credential handling and overtrust in protections that may not exist.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The security section claims token encryption at rest and session timeout behavior, but the file only describes plain environment-variable storage and does not document any mechanism that would implement those protections. False security claims are risky because operators may assume compensating controls exist when secrets may in fact be exposed to the process environment, logs, or local misconfiguration.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: This file materially exceeds the skill's stated CRM data-access purpose by deploying persistent Salesforce Flows and validation rules that alter org-wide behavior. Hidden or unexpected administrative capabilities are dangerous because a user may grant broad Salesforce credentials expecting read/write CRM operations, while the skill can instead make lasting configuration changes affecting all future records.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The pause, resume, and remove commands provide org-administration lifecycle control over Salesforce metadata, including deactivation and deletion of flows. In the context of a CRM integration skill, these capabilities are especially risky because they can disrupt business processes, silently disable safeguards, or remove automations without users expecting the skill to have such power.

Intent-Code Divergence

Medium

Confidence: 88% confidence
Finding: The documentation states that no admin token is required at runtime, but later code uses Tooling API operations to create, modify, and delete metadata objects, which generally require elevated privileges. This mismatch can mislead operators into granting broader access than they realize or trusting the skill's safety posture based on inaccurate security claims.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: The code claims the validation rules are 'warning only' and 'never block saves,' but Salesforce validation rules with active error conditions normally reject record saves when matched. This is dangerous because users may deploy the automation believing it is non-blocking, only to cause production data-entry outages or workflow interruptions across Lead, Contact, and Account records.

Description-Behavior Mismatch

Low

Confidence: 84% confidence
Finding: The delete workflow performs an additional export of record data before deletion and returns that backup in the API response, but this behavior is not reflected in the stated skill capabilities. Hidden or undocumented data egress is dangerous because callers may invoke a delete expecting destruction while the code silently copies CRM data into logs, responses, or downstream systems, increasing exposure of customer information.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The code supports direct username/password/security-token and session token ingestion from environment variables even though the skill description emphasizes one-click OAuth. This expands the credential attack surface, encourages long-lived secret handling in process environments, and can lead to over-privileged or improperly rotated credentials if deployed in shared agent infrastructure.

Intent-Code Divergence

Medium

Confidence: 87% confidence
Finding: The docstrings and response messaging claim the backup enables reversal or restoration, but the export only captures Id and Name. This can mislead operators into believing bulk deletions are recoverable when the exported data is insufficient to reconstruct most CRM records, creating a dangerous false sense of safety around destructive actions.

Context-Inappropriate Capability

High

Confidence: 94% confidence
Finding: This code retrieves an access token from the local Salesforce CLI keychain and places it into process environment variables, making a previously protected secret broadly accessible to any code running in-process or child processes. In an agent/skill environment, this expands the token's exposure surface and can enable unauthorized CRM access if other components can read env vars or trigger downstream actions.

Description-Behavior Mismatch

Medium

Confidence: 82% confidence
Finding: This file includes destructive rollback and broad reporting capabilities that materially expand the operational power of the skill beyond simple real-time CRM integration. In a CRM context, extra write/delete-like bulk actions increase the blast radius of mistakes or misuse, especially because rollback clears fields across many records and reporting enumerates customer data at scale.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The `rollback()` function performs bulk destructive updates immediately and relies on the CLI wrapper to enforce `--confirm`, meaning any programmatic caller can bypass that safeguard. In a CRM integration, this can clear standardized fields across up to tens of thousands of records, causing integrity loss and operational disruption if invoked accidentally or by an untrusted caller path.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The activation guidance uses very broad trigger words like 'show', 'get', 'find', 'update', or 'delete', which can cause the skill to engage on ambiguous user requests. In a skill that can query sensitive CRM data and perform destructive actions, over-broad invocation raises the risk of unintended data exposure or accidental record modification.

Missing User Warnings

Medium

Confidence: 78% confidence
Finding: The documentation promotes bulk update capability without prominent, specific warnings about the operational risk of large-scale record changes. In a CRM context, accidental or mis-scoped bulk modifications can corrupt production business data across many records quickly, making this omission materially dangerous.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The CLI prints duplicate-detection results containing CRM record details such as names, emails, phone numbers, company/account data, and creation dates directly to stdout. In many environments stdout is captured by shells, CI systems, orchestration logs, or support tooling, which can unintentionally disclose sensitive customer data beyond the intended operator.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The query and record-retrieval functions expose live CRM data directly from Salesforce and return full records with minimal access control, masking, or purpose limitation. In an agent-skill context, this is more dangerous because an LLM or downstream caller may retrieve leads, contacts, opportunities, and schema details containing sensitive business or personal data without clear authorization boundaries or user confirmation.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: `execute()` performs bulk writes to large numbers of Salesforce records without any in-function confirmation, approval workflow, or built-in safeguard beyond an optional dry-run flag. In this skill context, mass CRM updates are sensitive because an incorrect taxonomy, bad mapping logic, or unintended invocation can silently alter customer and lead data at scale.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.