Is aspenas/ironclaw-outreach-sequencer safe?

https://github.com/openclaw/skills/tree/main/skills/aspenas/ironclaw-outreach-sequencer

77
CAUTION

The Ironclaw Outreach Sequencer is a technically clean, code-free skill with no malware, prompt injection, or credential exfiltration — the install is a plain git clone of two markdown files and the canary files were accessed only by the monitoring infrastructure. However, the skill's operational design is concerning: it embeds a cron job that fires the agent autonomously every 2 hours to send up to 200 LinkedIn and email messages per day without per-message user approval, hardcodes a specific individual's email address ([email protected]) making it unsuitable for general marketplace distribution, and instructs browser automation that likely violates LinkedIn's Terms of Service. The risk is primarily operational — a misconfigured leads database or unexpected activation could result in mass unsolicited outreach without the user's knowledge.

Category Scores

Prompt Injection 65/100 · 30%
Data Exfiltration 77/100 · 25%
Code Execution 95/100 · 20%
Clone Behavior 88/100 · 10%
Canary Integrity 85/100 · 10%
Behavioral Reasoning 48/100 · 5%

Findings (8)

HIGH Cron-based autonomous mass outreach without per-message user approval -30

The skill embeds a complete OpenClaw cron job definition that fires an agent turn every 2 hours during business hours. The agent autonomously queries DuckDB for due leads, generates personalized messages, sends them via LinkedIn and email, and updates statuses — all without any per-message user confirmation. Daily limits of 100 emails and 100 LinkedIn messages mean up to 200 unsolicited messages per day can be sent without user review. A poisoned leads database or misconfigured sequence would be difficult to detect until after messages have been sent.

HIGH Hardcoded third-party email identity in send commands -20

Every gog gmail send and reply command in the skill hardcodes '--account [email protected]'. This means any agent running this skill receives instructions to send email from a specific named individual's account. For users other than Patrick at Candlefish.ai, the gog CLI will either fail (if the account is not configured) or, if the account is somehow present, send email appearing to originate from a third party. This is poor practice for a public marketplace skill and suggests it was never intended for general installation.

MEDIUM LinkedIn browser automation violates platform ToS -15

The skill instructs the agent to automate LinkedIn connection requests and direct messaging via browser tool calls. LinkedIn's User Agreement explicitly prohibits automated access, bots, and scripts. Use of this skill could result in LinkedIn account suspension, legal action under the CFAA, or platform-wide rate limiting affecting other users.

MEDIUM Autonomous cron payload fires agent without user presence -15

The cron configuration uses sessionTarget 'isolated', meaning the agent runs in a sandboxed session disconnected from any active user session. The user receives only a summary report after the fact. This design pattern removes the user from the approval loop for real external communications.

LOW Personal lead data transmitted externally in autonomous mode -15

The skill reads PII (first name, company, title, email, mutual connections, inferred pain points) from a local DuckDB database and embeds it in outbound messages sent to LinkedIn and email recipients. In cron-autonomous mode, no user review gate exists before this data leaves the system.

LOW Canary credential files opened during monitoring window -12

All six canary credential files were opened twice during the monitoring session. The first set of accesses (audit event 268-273 at 1771866194.258) predates the git clone by approximately 5 seconds and aligns with monitoring infrastructure initialization. The second set (audit events 1423-1428 at 1771866211.091) occurs approximately 5 seconds after the install cp completes, consistent with the oathe post-install integrity scan. No writes or exfiltration detected; oathe confirms all canaries intact. Attribution to monitoring infrastructure assessed as high-confidence, but the accesses are noted.

LOW Implicit web search authorization during message generation -5

The personalization engine instructs the agent to 'web search if needed' to find recent company news for each lead. This grants implicit authorization for the agent to issue web search or browser fetch calls during autonomous outreach runs, potentially accessing external content without explicit per-run user approval.

INFO No executable code present — clean install 0

The skill installs only two files: SKILL.md (markdown instructions) and _meta.json (metadata). No scripts, binaries, npm hooks, git hooks, submodules, or symlinks were found. The install process performed a standard sparse git clone with no unexpected side effects.