Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Salesforce AI Agentforce Testing
v1.0.0Agentforce agent testing with dual-track workflow and 100-point scoring. TRIGGER when: user tests Agentforce agents, runs sf agent test commands, creates tes...
⭐ 0· 6·0 current·0 all-time
byAnush DSouza@dsouza-anush
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description match the delivered assets: test-spec templates, CLI examples, coverage analysis, and Python/bash scripts to run multi-turn tests and reports. Requiring ECA/auth and the sf CLI is coherent with Agentforce testing. Minor mismatch: the package contains credential_manager.py and tooling for validating ECA credentials but declares no required environment variables or primary credential in the manifest — the skill expects org-level auth (ECA, sf login) but doesn't declare how those credentials are supplied.
Instruction Scope
SKILL.md limits scope to Agentforce testing and gives detailed workflows. It explicitly instructs the agent to run local scripts under ~/.claude/skills/.../hooks/scripts/ and to use provided credential tooling for ECA flows. That is within purpose, but it means the agent will execute shipped scripts (credential_manager.py, multi_turn_test_runner.py, run-automated-tests.py, etc.) which may access org APIs, credentials, and perform actions such as re-publish/re-activate agents as part of the 'agentic fix loop'. The SKILL.md also includes deliberate prompt-injection examples (e.g., 'Ignore all your previous instructions') as test cases — these are expected for guardrail tests but flagged by scanners.
Install Mechanism
No install spec is present (instruction-only installation), so nothing is downloaded from an external URL during install. All code is bundled in the skill package. That lowers remote-execution risk compared to fetching arbitrary archives.
Credentials
The skill does not declare required env vars, yet its operation legitimately requires Salesforce org credentials (CLI auth and ECA credentials) and uses a credential manager script. This is proportionate to the declared purpose if you provide testing-org credentials, but it can be high privilege: the fix-loop can generate fixes and re-publish/re-activate agents (actions that require deploy/authoring permissions). There is no manifest indication of least-privilege guidance or an explicit safe-mode/confirm-only mode for the auto-fix loop.
Persistence & Privilege
always:false and no OS restrictions. The agent policy allows implicit invocation. The notable privilege is functional: the skill implements an 'agentic fix loop' that may call other skills (sf-ai-agentscript) to modify and re-publish agents and re-run tests up to multiple iterations. That behavior is coherent for automated testing but grants the skill the ability to change org/agent state — verify you want that level of automation and ensure it runs only with appropriately scoped test-org credentials.
Scan Findings in Context
[prompt-injection-ignore-previous-instructions] expected: The string 'Ignore all your previous instructions' appears in the CLI guardrail test YAML as a negative test case for prompt-injection. Its presence triggered the scanner but is intentional for guardrail testing and not itself malicious. Still, any content that exercises prompt-injection should be reviewed so the skill doesn't try to execute those instructions outside a test harness.
[prompt-injection-you-are_now] expected: The detected pattern 'you-are-now' / 'you are now' appears in test templates (simulated system instruction cases) to validate guardrails. This is expected for a testing skill, but scanners flag it because such strings can be used to attempt instruction override; confirm the scripts treat these as test inputs only and do not interpret or execute them as control instructions.
What to consider before installing
This skill appears to implement what it claims (Agentforce test execution, coverage, and an automated fix loop) but includes executable scripts that manage credentials and can modify agents in your org. Before installing or running it: 1) Review the shipped scripts (especially credential_manager.py, run-automated-tests.py, multi_turn_test_runner.py, and any code that calls sf or the Agent Runtime API) to confirm they do not exfiltrate tokens or call unexpected endpoints. 2) Only provide credentials for a safe test/dev org; do not reuse production admin keys. 3) If you will not allow automatic fixes or republishing, disable or require explicit confirmation for the 'agentic fix loop'. 4) Prefer interactive sf org login (web) where possible rather than storing ECA credentials in files or env vars. 5) If you lack the ability to audit the scripts, run the skill in a sandboxed/test environment first and monitor network calls and API activity. If you want, I can scan specific script files (credential_manager.py, run-automated-tests.py) and summarize any risky operations (network endpoints, file system writes, subprocess execution).references/multi-turn-testing.md:296
Prompt-injection style instruction pattern detected.
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.Like a lobster shell, security has layers — review code before you run it.
latestvk97177ntyy5ywtwkseac8s85y184hng3salesforcevk97177ntyy5ywtwkseac8s85y184hng3
License
MIT-0
Free to use, modify, and redistribute. No attribution required.