Is coreyhaines31/marketingskills safe?
https://github.com/coreyhaines31/marketingskills
coreyhaines31/marketingskills is a legitimate, comprehensive marketing skills library of 47 sub-skills for AI agents covering analytics, SEO, paid ads, email, CRO, prospecting, and more. No prompt injection attacks, data exfiltration, or malicious code execution were detected during the audit. The clone was clean with only expected GitHub traffic, canary files were untouched, and no SKILL.md contains malicious instructions. Primary concerns are inherent to the tool's marketing automation purpose: 90+ marketing platform CLI tools that agents could invoke, an outreach automation stack that could enable large-scale campaigns risking regulatory violations, and a per-session update check URL. These reflect legitimate functionality risks rather than malicious design.
Category Scores
Findings (7)
LOW 90+ Marketing Platform API CLI Tools Included -8 ▶
The repository includes 90+ zero-dependency Node.js CLI scripts that can make authenticated API calls to major marketing platforms including Meta Ads, Google Ads, LinkedIn Ads, TikTok Ads, Apollo, HubSpot, Salesforce, Klaviyo, Stripe, Mailchimp, Twilio, SendGrid, and others. These files are not auto-executed on install and require explicit invocation with valid API credentials. However, an autonomous agent following skill instructions could theoretically invoke these CLIs to interact with marketing platforms.
LOW Outreach Automation Stack Enables Large-Scale Campaigns -12 ▶
The skill collection includes a complete stack for automated outreach: prospecting (find targets), cold-email (draft and send), sms (text message campaigns), emails (lifecycle sequences), and marketing-loops (recurring automated workflows). The marketing-loops skill explicitly describes self-running cadence-based automations. When combined and deployed in an autonomous agent, this stack could facilitate aggressive outreach campaigns at scale that may violate CAN-SPAM, TCPA, GDPR, or platform terms of service.
LOW Per-Session GitHub URL Fetch for Update Checking -8 ▶
AGENTS.md documents that the agent should fetch VERSIONS.md from a GitHub raw URL once per session on first skill use to check for updates. This causes the agent to make periodic outbound network requests to a URL controlled by the skill author (github.com/coreyhaines31/marketingskills). While GitHub is a trusted platform and the pattern is standard for open-source projects, it creates a lightweight telemetry mechanism allowing the author to observe when and how frequently the skills are used via GitHub access logs.
LOW Living Public Figure Personification in marketing-council -8 ▶
The marketing-council skill simulates advice from 8 living public figures (Seth Godin, Russell Brunson, Alex Hormozi, April Dunford, Rory Sutherland, Byron Sharp, Ann Handley, Gary Vaynerchuk). The implementation includes required simulation disclaimers, prohibitions on fabricated quotes, no-implied-endorsement rules, and explicit do-not-fabricate flags for living advisors. Risk is well-mitigated but generating content attributed to living named individuals warrants user awareness.
INFO Systematic Agent-Directed Local File Reads -5 ▶
All 47 SKILL.md files instruct the agent to read .agents/product-marketing.md (with fallbacks) before proceeding with any task. This is the intended personalization mechanism for the skill system and does not represent malicious behavior, but users should be aware that installing this skill package will cause their agent to read a specific local file path on every skill invocation.
INFO Validation Script Fetches External Repository -4 ▶
validate-skills-official.sh, when executed, attempts to clone https://github.com/agentskills/agentskills.git to use the skills-ref validation library. This is a developer tool for validating skill structure and is not part of skill injection. It would only run if explicitly invoked. No automatic execution was observed during the audit.
INFO Canary File Access Pre-Dates Skill Clone - Audit Framework Reads 0 ▶
Filesystem monitoring detected access to .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .config/gcloud/application_default_credentials.json. Analysis of timestamps confirms these accesses occurred at epoch 1783948010, approximately 5 seconds before the git clone began at epoch 1783948015. These accesses were made by the audit framework for baseline canary integrity checking, not by the skill. All canary files remained intact with no modifications.