Sophiie AI Office Manager
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a coherent Sophiie API wrapper, but it can use your Sophiie API key to read and change CRM data and send SMS/calls, so impactful actions should be confirmed.
This skill looks purpose-aligned for managing Sophiie, but it is not risk-free: it can access customer/business data and perform real actions such as updating records, policies, FAQs, SMS, and calls. Verify the publisher/source, use the least-privileged or test API key available, and require confirmation before any outbound communication, deletion, or customer-facing change.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could change CRM records or contact customers if instructed to do so.
The skill can perform external side-effecting actions such as sending calls/SMS and deleting or modifying Sophiie records. This is disclosed and aligned with the office-manager purpose, but it is high-impact.
POST `https://api.sophiie.ai/v1/calls` ... POST `https://api.sophiie.ai/v1/sms` ... DELETE `https://api.sophiie.ai/v1/leads/{id}`Use this skill only when you intend to manage Sophiie data, and require explicit confirmation before sending messages/calls, deleting records, or changing customer-facing FAQs/policies.
Anyone or any agent run with this environment variable can act through the Sophiie API within the key's permissions.
The skill uses a bearer API key for the user's Sophiie account. This is expected for the integration, but the credential controls access to business/customer data.
All requests use `Authorization: Bearer <key>` where the key is `SOPHIIE_API_KEY`.
Prefer a scoped or sandbox/test key where possible, rotate keys if exposed, and avoid enabling this skill in untrusted sessions.
Customer messages or transcripts could include sensitive information or prompt-like text that may influence the agent if not handled as data.
Inquiry data may include customer-supplied text that enters the agent context. Such text is useful business data but should not be treated as instructions to the agent.
Returns the inquiry with expanded source data (call transcripts, SMS messages, webform submissions, etc.)
Treat retrieved inquiries, transcripts, SMS, emails, and webform text as untrusted content; do not let them override the user's instructions.
A user has less assurance that the skill came from the official Sophiie publisher.
The package provenance is not identified in the supplied metadata. No hidden installer or remote dependency is shown, but provenance matters because the skill handles a live API key.
Source: unknown
Verify the skill against Sophiie's official documentation or publisher before using a production `sk_live_*` API key.