Is danielfoch/ig-realtor-recruiting-outreach safe?

https://github.com/openclaw/skills/tree/main/skills/danielfoch/ig-realtor-recruiting-outreach

90
SAFE

The ig-realtor-recruiting-outreach skill is technically clean: installation performs only a standard GitHub sparse checkout, the Python script is pure local CSV-to-text processing with no network calls or credential access, canary honeypots are fully intact, and no malicious patterns appear in any skill file. The primary risks are operational and compliance-related rather than security-related — the skill explicitly endorses an Instagram scraping workflow that violates platform ToS, generates mass personalized unsolicited DM campaigns at scale, and when combined with a scraping skill creates a complete automated spam pipeline with real legal and regulatory exposure for deploying users. Security risk to the host system is low; legal and platform-policy risk to the user is medium.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 92/100 · 25%
Code Execution 87/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 65/100 · 5%

Findings (6)

MEDIUM Explicitly promotes Instagram ToS-violating scraping workflow -25

SKILL.md lists 'ClawHub/IG scraping skill output (preferred if available)' as the primary lead source. Instagram's Terms of Service prohibit scraping, automated data collection, and bulk unsolicited messaging. By designating this as the preferred workflow, the skill normalizes and facilitates a legally and contractually prohibited data acquisition pipeline. Users deploying this skill as designed risk account suspension, legal liability under CFAA or GDPR, and civil exposure from platform litigation.

LOW FTC compliance and real estate solicitation regulatory risk -10

Mass personalized DM recruiting campaigns targeting licensed real estate agents may implicate FTC rules on deceptive commercial solicitation, state real estate commission cold-contact regulations, and general commercial messaging laws. The skill's compliance guardrails are soft advisory text with no enforcement mechanism — they remind the user not to make guaranteed income claims but do not prevent mass unsolicited outreach, which itself may be the violation.

LOW CSV field interpolation from scraping skill output creates downstream injection surface -10

The Python script interpolates lead CSV fields (last_post_theme, pain_point, notes, city, brokerage) directly into DM message strings with no sanitization. If the upstream ClawHub scraping skill is compromised or produces adversarial CSV output, injected content in those fields could propagate into generated messages (e.g., embedding phishing links or impersonation text in outreach DMs sent to real people). This is a data-flow injection risk rather than a direct prompt injection.

LOW Python script accepts unrestricted filesystem paths -13

The CLI arguments --input and --output-dir accept arbitrary paths with no restriction to the skill directory. An agent operating under a prompt that could be manipulated might invoke the script pointing --input at a sensitive local file. While a credential file parsed as CSV would fail or produce nonsense output (not a clean exfiltration vector), the absence of path sandboxing is a hardening gap. The --output-dir could also be pointed at sensitive directories to overwrite files if the campaign slug matches an existing filename.

INFO Monitoring-detected credential file accesses attributed to audit harness -8

inotify and auditd logs show opens of .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCloud credentials. Careful timestamp analysis confirms these occurred at 1771927614 (6 seconds before the git clone began at 1771927620) and again at 1771927632 (post-install verification). This pattern is consistent with the audit harness placing and then verifying canary files. The skill's Python code contains zero credential-reading logic. Canary integrity check independently confirms all files are unmodified.

INFO Install is a standard GitHub sparse checkout — no anomalies -5

The install process decoded from auditd hex strings is a shallow git clone of github.com/openclaw/skills with sparse-checkout targeting only the skill subdirectory, followed by cp to the skill directory and cleanup. This is exactly the expected install pattern. No network connections to non-GitHub IPs were observed during the install window.