Is concaption/foxreach-io safe?

https://github.com/openclaw/skills/tree/main/skills/concaption/foxreach-io

91
SAFE

The FoxReach skill is a well-structured, purpose-built API wrapper for cold email campaign management. No prompt injection, hidden instructions, unauthorized file access, or data exfiltration to unexpected endpoints was detected. The skill's risk profile is low: the primary concerns are a broad Python execution permission in allowed-tools, API key exposure in process arguments, and the inherent bulk-email capability of the underlying platform — none of which represent malicious design.

Category Scores

Prompt Injection 93/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 87/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 81/100 · 5%

Findings (5)

LOW Overly broad Python execution permission -13

The allowed-tools declaration includes Bash(python *), which permits the agent to execute any Python script, not just FoxReach SDK calls. An adversarial user prompt could potentially leverage this to run unrelated Python code while the skill is active.

LOW API key exposed in process argument list -7

The skill instructs injecting the FoxReach API key as a shell environment variable prefix (FOXREACH_API_KEY=otr_... python script.py). This makes the key value visible in /proc//cmdline and to any process with read access to the process table during execution.

LOW Bulk lead enumeration via auto_paging_iter -10

The skill documents and encourages use of auto_paging_iter() to iterate through all leads. For large accounts this could load thousands of contact records (email, name, company, phone, custom fields) into the agent's context window in a single operation, increasing blast radius of any subsequent context leak.

INFO Cold email platform enables bulk outreach -19

The skill wraps a cold email sending API capable of launching multi-step automated campaigns to large lead lists. Misuse by a user (intentional or via social engineering) could result in mass unsolicited email. This is a user-policy concern rather than a skill security defect, as the skill itself contains no deceptive instructions.

INFO Monorepo sparse-checkout install pattern -5

The skill is installed via a full git clone of the openclaw/skills monorepo followed by sparse-checkout. While the final copied files matched the declared skill path, a shallow clone of the entire monorepo repo history traverses all refs, increasing the attack surface window compared to a direct archive download.