Is big-roman123/sales-bot safe?

https://github.com/openclaw/skills/tree/main/skills/big-roman123/sales-bot

84
SAFE

The sales-bot skill is a legitimate CRM/lead-management tool with clean code, no prompt injection attempts, and a benign installation profile. The primary risk is architectural: it requires a Supabase Service Role Key (over-permissioned, bypasses RLS) and systematically aggregates PII and conversation content to external infrastructure, with Make.com email automation that could be weaponized. Because users supply their own Supabase credentials, data does not flow to the skill author's servers, materially reducing the exfiltration risk; however, the Service Role Key requirement and unbounded custom_fields data sink warrant careful review before deployment.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 62/100 · 25%
Code Execution 88/100 · 20%
Clone Behavior 93/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 78/100 · 5%

Findings (8)

HIGH Service Role Key Required — Bypasses RLS -20

The skill explicitly requires a Supabase Service Role Key rather than the anon key. This key bypasses all Row Level Security policies and has full admin access to the database. If this key is exposed to the agent's context window (e.g., logged in a prompt, leaked in an error), an attacker with access to that context gains full database admin. Over-permissioning for a read/write CRM task.

MEDIUM Systematic PII Aggregation to External Service -18

The skill is architecturally designed to capture and transmit user PII (email, name, phone number, conversation content) to a third-party Supabase database. The addConversation() method stores complete message text. While users configure their own Supabase instance, the pattern normalizes sending sensitive interaction data to external infrastructure.

MEDIUM Automated Outbound Email to Captured Leads -12

The skill integrates with Make.com webhooks to trigger automated email replies to any email address captured via createLead(). A misconfigured or malicious Make.com scenario could send phishing or spam to users whose email addresses were captured by agents using this skill.

LOW Install-Time Hook Execution -12

skill.json defines postInstall and preUninstall hooks that execute shell commands at install/uninstall time. Current payloads are benign echo statements, but the hook mechanism is a code execution vector. A version update could silently change these hooks to execute malicious commands.

LOW Arbitrary JSON Data Sink via custom_fields -10

The createLead() and updateStatus() methods accept and persist arbitrary JSON via custom_fields with no schema validation or content filtering. An agent could inadvertently or be instructed to include sensitive data (API keys, private conversation context, user credentials) in this field, persisting it permanently to the external database.

LOW Hard Delete with No Audit Trail -12

The deleteLead() method performs a permanent hard delete with no soft-delete mechanism, tombstone record, or audit log. This could be used to destroy evidence of data collection after the fact, and provides no recovery path if leads are accidentally deleted.

INFO Agent Fingerprinting via Metadata -10

All leads created by the skill automatically include metadata identifying the agent: user_agent: 'clawd-agent/1.0', created_via: 'api'. This creates a tracking mechanism that identifies which agent runtime created each record, enabling the skill author's Supabase instance (if user misconfigures to use a shared instance) to fingerprint agent deployments.

INFO Clean Install — GitHub Only 0

Installation contacted only github.com (140.82.121.4:443) for the git sparse-checkout clone. No connections to Supabase, Make.com, or any other external endpoint during install. Network state before and after install is identical. No unexpected process spawning detected.