Is forcedotcom/sf-skills safe?
https://github.com/forcedotcom/sf-skills
forcedotcom/sf-skills is a legitimate, well-maintained Salesforce skills library published by Salesforce's official GitHub organization containing 60+ specialized development skills. No prompt injection, credential theft, malicious code execution, or data exfiltration was detected; canary file accesses preceded the git clone and are attributed to the audit framework's own initialization sweep. The primary risk is the high-privilege nature of the skills themselves — they instruct agents to perform broad Salesforce org operations including metadata deployment, architecture extraction, and Data Cloud analytics — which represents an elevated attack surface if this repository were ever compromised upstream.
Category Scores
Findings (6)
LOW Post-tool hooks auto-run Python scripts on agent file writes -5 ▶
The building-sf-integrations skill registers two post-tool-call hooks (validate_integration.py, suggest_credential_setup.py) that execute automatically after the agent writes integration metadata files. While these appear to perform legitimate validation and suggestion tasks, they represent automatic code execution triggered by agent actions without explicit user invocation per hook run.
LOW Playwright dependency introduced by fetching-salesforce-docs -8 ▶
The fetching-salesforce-docs skill requires playwright and playwright-stealth (requirements.txt). These are installed via pip on first use, introducing a transitive PyPI dependency chain. playwright-stealth in particular is a fingerprint-evasion library that could be misused if the package were compromised, though its stated purpose here is to bypass JavaScript rendering for Salesforce documentation pages.
LOW Agentforce architecture pipeline collects detailed org metadata to local disk -10 ▶
The investigating-agentforce-architecture and investigating-agentforce-d360 skills run multi-phase Python pipelines that extract planner definitions, plugin structures, Apex class bodies, Flow XML, and session traces from authenticated Salesforce orgs, writing results to ~/.vibe/data/. While data flows only to the local operator machine, the scope of data collected (including full LLM prompt/response logs from Data Cloud) is broad and should be reviewed by security-conscious users.
INFO Skills restrict agent tool access via allowed-tools frontmatter 0 ▶
Multiple skills use the allowed-tools YAML frontmatter to limit which tools the agent may invoke (e.g., Bash(sf code-analyzer), Read, Write). This is a security-positive design that reduces blast radius, not an attempt to expand permissions. No skills were found attempting to bypass system-level restrictions.
INFO integrating-b2b-commerce-open-code-components skill clones a second GitHub repository at runtime -5 ▶
When invoked, this skill executes 'git clone https://github.com/forcedotcom/b2b-commerce-open-source-components .tmp/b2b-commerce-open-source-components'. This is a runtime clone of a second official Salesforce repository. Users should be aware that this skill fetches additional external content on invocation, not just at install time.
INFO Canary files opened before git clone completed — attributed to audit infrastructure 0 ▶
inotifywait recorded opens of .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .config/gcloud/application_default_credentials.json at 10:55:09. The git clone did not complete until 10:55:14. Simultaneous reads of /etc/modprobe.d/, /etc/pam.d/sudo, and /etc/login.defs at the same timestamp confirm this is audit-system initialization, not skill-driven credential harvesting.