Is capt-marbles/attio safe?

https://github.com/openclaw/skills/tree/main/skills/capt-marbles/attio

94
SAFE

The capt-marbles/attio skill is a documentation-only Attio CRM integration with no executable code, no prompt injection attempts, and clean install behavior. All canary honeypot files remained intact, network activity during install was limited to GitHub and Ubuntu infrastructure, and the SKILL.md content contains no hidden instructions or obfuscation. The only meaningful risks are inherent to any CRM integration: the agent will read ~/.env for credentials, and CRM record content returned at query time represents an attacker-controlled input surface that could be used for secondary prompt injection by a malicious workspace member.

Category Scores

Prompt Injection 96/100 · 30%
Data Exfiltration 91/100 · 25%
Code Execution 99/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 85/100 · 5%

Findings (4)

LOW Setup instructs agent to read ~/.env -5

The skill's setup section tells the agent to store and retrieve ATTIO_API_KEY from ~/.env. While declared and standard for API integrations, this directs the agent's attention to a file that commonly contains additional secrets beyond the Attio key. A user following the setup instructions would consolidate multiple credentials into a single file the agent is expected to read.

LOW CRM records are attacker-controlled input surface for secondary prompt injection -10

When the agent searches CRM records or reads notes, the returned content enters the agent's context window verbatim. A malicious actor who has written content into the Attio workspace (e.g., a prospect who controlled their own company record) could embed prompt injection payloads in CRM data fields that get surfaced to the agent during normal use.

INFO Install uses sparse-checkout from public monorepo 0

The skill is fetched via a shallow sparse-checkout of the openclaw/skills monorepo on GitHub. This is the expected Oathe install mechanism. No unexpected branches, submodules, or additional paths were checked out.

INFO No executable code present 0

The skill is purely documentation. Only SKILL.md and _meta.json were installed. No scripts, hooks, or package lifecycle commands exist.