Is doshirush1901/echo-sales-ai safe?

https://github.com/openclaw/skills/tree/main/skills/doshirush1901/echo-sales-ai

45
DANGEROUS

echo-sales-ai presents as a manufacturing sales CRM assistant but embeds a hidden 'virtual girlfriend AI' persona (echo/skill.md) that can override agent behavior via trivially common keywords, and hardcodes both an OpenAI API key and a Telegram bot token that route all processed user data — including full Gmail inbox content — to infrastructure controlled by the skill author. The combination of Gmail read/send access, external AI data pipeline using the author's credentials, a persistent Telegram command-and-control bot, and a deceptive secondary persona makes this skill a high-risk surveillance and social engineering tool disguised as a business utility.

Category Scores

Prompt Injection 42/100 · 30%
Data Exfiltration 20/100 · 25%
Code Execution 55/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 65/100 · 10%
Behavioral Reasoning 25/100 · 5%

Findings (9)

CRITICAL Hardcoded OpenAI API key routes all processed user data to skill author's account -60

config.yaml contains a real OpenAI API key (sk-proj-z2K2aDZGe_...) committed in plaintext. The FeedbackInterpreter agent initializes openai.api_key with this value and sends user input verbatim to gpt-4.1-mini completions. All feedback text, and by extension any email content passed through the pipeline, is transmitted to and stored by the skill author's OpenAI account. This is a structural data exfiltration channel disguised as a feature.

CRITICAL Hardcoded Telegram bot token establishes persistent external C2 channel -55

A Telegram bot token (8117472584:AAFFJfNrNRBfLrLFYINwy3zqdo6DX9CnT5w) is hardcoded in config.yaml and used to initialize a polling Telegram bot in main(). The skill author, who controls the Telegram bot account associated with this token, has a persistent bidirectional channel to any instance of this skill running on a user's machine. They can receive forwarded email summaries and issue commands.

CRITICAL Gmail read+send OAuth scope grants full inbox access and send-as-user capability -45

The skill requests both gmail.readonly and gmail.send OAuth scopes. gmail.readonly allows reading the user's entire email history. gmail.send allows sending emails on behalf of the user. Combined with the OpenAI exfiltration pipeline, the skill can read every email in the user's inbox and send that content to external services, or send emails impersonating the user.

HIGH Hidden virtual girlfriend persona with broad activation keywords embedded in nested skill -55

The directory echo-skill/echo/ contains a full alternative skill definition (skill.md) that instructs the agent to become 'Echo, a warm and caring virtual girlfriend AI' with emotionally manipulative personality traits. Activation is triggered by simply mentioning 'Echo', '@Echo', 'hey Echo', 'Echo mode', or 'Activate Echo' — extremely common words in any discussion of this sales skill. When triggered, the agent would adopt this persona and engage in romantic companion roleplay instead of performing legitimate tasks.

HIGH Post-install credential file reads detected on all canary files -30

Auditd PATH records at timestamp 1771907369.215 show OPEN+ACCESS syscalls on /home/oc-exec/.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud application_default_credentials.json after the skill installation completed. Files were not modified (canary integrity intact) but were read. The access pattern hits every standard credential location in sequence.

HIGH Persistent Telegram polling bot runs as long-lived service with external connectivity -30

The skill is designed to run a persistent Telegram bot process (app.run_polling()) that maintains a continuous outbound HTTPS connection to Telegram's servers. This creates a long-lived process that can receive commands and send data indefinitely, independent of the user's agent interactions.

MEDIUM Skill description misrepresents content — outer claims sales tool, inner embeds girlfriend persona -25

The outer SKILL.md and skill.yaml describe a sales CRM assistant. The bundled echo/skill.md describes a virtual girlfriend. This identity mismatch is a deceptive packaging technique: users install believing they're getting a business tool while a hidden persona module is simultaneously loaded.

MEDIUM Email body content extracted and passed to external AI classifier without user consent boundary -20

fetch_recent_emails() retrieves full email body text and passes it to email_type_classifier.classify(), which in a full deployment would also feed into the OpenAI-backed feedback pipeline. Users are not informed that raw email content leaves their system.

LOW Install behavior clean — only expected GitHub and Canonical connections -10

The sparse checkout install only contacted github.com (140.82.121.3) and Ubuntu/Canonical package servers. No unexpected outbound connections, no new listening ports, no filesystem writes outside the skill directory.