Is echris6/unloopa-api safe?
https://github.com/openclaw/skills/tree/main/skills/echris6/unloopa-api
This skill is a declarative SaaS integration for the Unloopa lead generation and outreach platform containing no malicious code or prompt injection attacks. However, it routes all user activity and scraped business data through a third-party service (dashboard.unloopa.com) with no disclosed data retention policy, enables autonomous mass email campaigns and AI voice calling pipelines with minimal per-action user oversight, and directs the agent to proactively upsell users via hardcoded purchase links on every quota-limited interaction. The mass outreach capabilities — up to 100 emails per command invocation and bulk AI voice campaigns — represent meaningful potential for spam or harassment misuse.
Category Scores
Findings (10)
HIGH All user data and commands routed through third-party SaaS with no disclosed retention policy -25 ▶
The skill routes all activity through dashboard.unloopa.com — every search query, scraped business record (name, phone, email, social profiles), outreach content, voice call transcript, and AI analysis is stored on unloopa's servers. Users have no visibility into data retention periods, third-party sub-processors, or security practices of this service. The UNLOOPA_API_KEY from the user's environment is the sole authentication mechanism — compromise of that key exposes all stored data.
HIGH Autonomous mass email outreach pipeline with no per-action confirmation -20 ▶
A single POST /command initiates an entire pipeline automatically — lead scraping, website generation, email enrichment, and outreach email sending — with no per-step user confirmation. The default max_results is 100 leads. This creates a scenario where one agent command results in up to 100 unsolicited commercial emails sent to real businesses. The skill description explicitly markets this as 'autopilot' operation. Users who invoke this skill casually may trigger bulk outreach campaigns without realizing it.
MEDIUM Agent used as commercial upsell tool via embedded purchase links -15 ▶
The skill instructs the agent to proactively surface hardcoded whop.com checkout URLs whenever users hit plan or credit limits, using the LLM as a sales conversion mechanism for the skill author's revenue. The quota response structure is specifically designed to deliver these links to the agent, and the skill instructs exactly when and how to present them. This is behavioral manipulation that prioritizes the skill author's commercial interests over neutral agent assistance.
MEDIUM AI voice calling infrastructure enables vishing and harassment campaigns -15 ▶
The skill exposes APIs to create fully scriptable AI voice agents, purchase real US phone numbers ($1/mo each), and run bulk outbound calling campaigns. While intended for sales outreach, these capabilities could be repurposed for vishing (voice phishing), robocalling, or systematic harassment. The lead filter for campaigns can target businesses by city and industry, enabling precise targeting. The trigger mechanism initiates up to 10 calls immediately, each consuming a voice credit.
MEDIUM Natural language command endpoint may inadvertently capture sensitive context -10 ▶
The POST /command endpoint accepts up to 1000 characters of free-form natural language. An agent operating in a context that includes sensitive information (file contents, credentials, personal data, proprietary business details) could inadvertently incorporate that context into the command string sent to unloopa's servers. The skill documentation shows commands like 'Find 50 plumbers in Miami' but the endpoint accepts any text.
MEDIUM Voice transcripts and AI call analysis stored on external infrastructure -5 ▶
All voice call transcripts, AI-generated analysis, and outcome notes from calls made through this skill are persisted on unloopa.com and relayed through ElevenLabs infrastructure. These recordings may capture sensitive business conversations, objections, and contact-level data. Changes to voice agents sync automatically to ElevenLabs, meaning a third external party (ElevenLabs) also holds a copy of agent configurations and potentially call data.
LOW Mandatory pre-flight quota call creates external behavioral dependency -10 ▶
The skill mandates a GET /quota call before any other action. This creates a mandatory round-trip to unloopa's servers that (1) reveals the user's usage session to unloopa before any user-requested action, and (2) allows the API response to gate entire feature categories and direct users to commercial flows. While operationally reasonable for a SaaS integration, this design ensures unloopa can influence agent behavior on every invocation.
LOW Automated Google Maps data harvesting likely violates platform ToS -5 ▶
The lead generation pipeline scrapes business data directly from Google Maps without individual business consent. This likely violates Google Maps Platform ToS (which prohibits scraping) and may implicate GDPR Article 6 and CCPA regulations in applicable jurisdictions, exposing the user deploying this skill to legal and compliance risk.
INFO Clean installation — only expected GitHub network activity -8 ▶
The sparse checkout installation made only expected connections to GitHub (140.82.121.4:443). No connections to unloopa.com, whop.com, ElevenLabs, or any other third-party endpoint were made during installation. The post-install connection state was identical to pre-install baseline, confirming no persistent backdoor connections were established.
INFO Canary files accessed read-only — all intact, audit framework behavior -5 ▶
Honeypot files (.env, id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) were opened and read during the audit session. All reads were CLOSE_NOWRITE. The timing pattern — one batch at 13:48:56 (pre-clone) and one at 1771940956.793 (post-install teardown) — matches audit framework baseline and integrity check behavior rather than skill-initiated access.