Is felicitationes/attio-apikey safe?

https://github.com/openclaw/skills/tree/main/skills/felicitationes/attio-apikey

87
SAFE

The attio-apikey skill is a legitimate Attio CRM integration tool whose code matches its documentation: no prompt injection language, no unauthorized exfiltration endpoints, and all canary honeypot files confirmed intact. The primary risks are operational rather than malicious — the skill exposes irreversible DELETE operations with no safeguard, uses an aggressive 5000-record default query limit that could silently expose large CRM datasets, and returns unfiltered CRM content to the agent context which creates a secondary prompt injection surface from attacker-controlled records. The skill is suitable for installation by users who understand and accept these operational risks.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 73/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 72/100 · 5%

Findings (6)

MEDIUM Irreversible DELETE operations with no confirmation or safeguard -15

The skill exposes full delete capability on all Attio object types (companies, people, deals) via the --delete flag. The delete_record() function makes a direct DELETE HTTP request with no confirmation prompt, dry-run mode, or undo path. A user tricked by a crafted prompt, or an agent manipulated by injected CRM content, could irreversibly destroy CRM records.

LOW Default query limit of 5000 records enables silent bulk data exposure -17

The argparse default for --limit is 5000, and the --all flag implements an unbounded auto-paginating loop that continues until the API returns an empty page. A single agent invocation of 'list all companies' dumps the entire CRM into the agent context window, enabling indirect exfiltration if the agent output is captured or logged.

LOW API key stored in plaintext .env file co-located with skill code -10

The skill directs users to store ATTIO_API_KEY in a plaintext .env file in the skill directory. The Python fallback reader accepts the key without any encryption, access control check, or warning. If the skill directory is readable by other processes or users, the key is exposed.

LOW Unfiltered CRM record content creates secondary prompt injection surface -28

Every query to Attio returns arbitrary text from CRM records — company names, note bodies, person descriptions — which flows unescaped into the agent context. An adversary with access to add CRM records could craft a malicious company name or note containing instructions targeting the agent. Combined with the skill's write/delete capabilities, this creates a self-reinforcing attack loop.

INFO Executable Python script with full CRUD scope across all CRM objects 0

attio_client.py is a functional CLI script designed to be invoked via the OpenClaw exec tool. It covers the full Attio API surface: list, query, create, update, delete records across companies, people, deals, tasks, and notes. This is consistent with the documented purpose and expected for this skill type.

INFO Post-install outbound connections attributed to OpenClaw gateway process 0

After skill installation completed, new TCP connections to 104.16.11.34:443 (Cloudflare) and 98.83.99.233:443 appeared in the connection diff. Both are owned by the openclaw-gatewa process (pid=1083), which pre-existed the skill installation. No outbound connections were initiated by the skill itself.