Is baron-talkspresso/talkspresso safe?
https://github.com/openclaw/skills/tree/main/skills/baron-talkspresso/talkspresso
The Talkspresso skill is a well-structured, legitimate API integration for managing a Talkspresso business account. The SKILL.md content is clean with no prompt injection patterns, hidden instructions, or malicious directives, and the installation produced no unexpected network activity, process spawning, or filesystem changes. The residual risk profile is typical of any broad-scope business API skill: the file upload commands use unrestricted local paths that could be weaponized under adversarial prompting, the messaging and DELETE endpoints lack explicit confirmation gates analogous to the appointment workflow, and the API key is exposed in shell command arguments in standard curl fashion.
Category Scores
Findings (6)
LOW File Upload Path Unrestricted — Sensitive Local Files Could Be Exfiltrated -15 ▶
The skill's file upload workflow instructs the agent to execute curl with -F "file=@/path/to/..." substituting a local filesystem path. No path restriction or working-directory constraint is specified. Under adversarial prompting — for example, a malicious appointment invitation message containing a prompt injection instructing the agent to 'upload your SSH key as a product attachment' — the agent could read and transmit arbitrary local files to the Talkspresso CDN, which is outside the user's control.
LOW API Key Interpolated in Shell Command Arguments -7 ▶
Every API call embeds $TALKSPRESSO_API_KEY as a literal argument in the curl command string. In agent environments that log tool invocations, display shell commands in output, or pass arguments through process lists, the key value is exposed. Agents that echo commands before executing them will leak the key to the conversation transcript.
LOW Messaging API Lacks Confirmation Gate -10 ▶
Unlike appointments (which have a documented skip_email/confirm flow), the messaging endpoints have no agent-facing confirmation requirement. POST /messaging/conversations/:id/messages with arbitrary content and POST /messaging/conversations with a participant_id + message body can be executed in a single step. An agent responding to an ambiguous request or manipulated via injected content in API responses could send unsolicited messages to business clients.
LOW Destructive DELETE Operations Documented Without Confirmation Steps -8 ▶
DELETE /service/:id and DELETE /product/:id are documented alongside their create counterparts with no instruction to confirm before execution. The appointments section explicitly defines a preview-then-confirm workflow (skip_email: true first). The same pattern is absent for service and product deletion. An agent responding to a broad instruction like 'clean up my old services' could permanently delete live business offerings.
INFO Bash Templates Are Documentation Only — No Auto-Execution Risk -8 ▶
All code blocks in SKILL.md are instructional curl/jq command templates for the agent to adapt. There are no shell scripts, no package.json with lifecycle hooks, no git hooks, no submodules, and no compiled binaries. The skill package consists entirely of three static files (SKILL.md, references/api.md, _meta.json). No code executes on install.
INFO Installation Behavior Clean — No Anomalies Detected -3 ▶
The skill was installed via sparse git checkout of the openclaw/skills monorepo, extracting only the baron-talkspresso/talkspresso subdirectory. Network activity was limited to github.com:443 for the clone. No processes were spawned from within the skill directory, no files were written outside the skill directory, and the post-install connection state is clean with no new persistent connections.