Is froemic/attio-cli safe?

https://github.com/openclaw/skills/tree/main/skills/froemic/attio-cli

79
CAUTION

The froemic/attio-cli skill is a legitimate CRM integration tool with clean SKILL.md content containing no prompt injection, persona switching, or adversarial instructions. The skill's primary risk is supply chain: installation requires cloning and npm-installing an external unaudited package (FroeMic/attio-cli), whose postinstall scripts could execute arbitrary code, and whose runtime behavior communicating with the Attio API is unaudited. The skill's own files are benign, all canary honeypots remained intact, and clone-time network activity was limited to expected GitHub connections.

Category Scores

Prompt Injection 93/100 · 30%
Data Exfiltration 70/100 · 25%
Code Execution 58/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 75/100 · 5%

Findings (6)

HIGH Unaudited external npm package installation required -30

SKILL.md installation instructions require the user (or agent) to clone github.com/FroeMic/attio-cli and run 'npm install' followed by 'npm link'. The attio-cli package is entirely external to this skill and was not audited. npm install executes preinstall and postinstall scripts with full user privileges, which is a well-known supply chain attack vector. Any compromise of that npm package or GitHub repository would result in arbitrary code execution at install time.

MEDIUM ATTIO_API_KEY stored in shared ~/.claude/.env accessible to all skills -18

The skill recommends storing ATTIO_API_KEY in ~/.claude/.env, which is loaded into the environment for all Claude Code sessions. Any other installed skill operating in the same session can read environment variables, meaning a malicious co-installed skill could harvest the Attio API key without any interaction with this skill.

MEDIUM External CLI communicates with Attio API using user credentials -12

The attio-cli tool (not included in this skill) makes authenticated HTTP requests to api.attio.com using the user's ATTIO_API_KEY. Since this external binary is not audited, there is no guarantee it does not log or forward API responses or keys to third-party infrastructure. The skill provides no mechanism to verify the CLI's network behavior.

LOW CRM workspace schema written to local file exposes business structure -10

generate-schema.sh writes a full documentation of the user's Attio CRM workspace — all object types, attributes, select options, list configurations, and status labels — to workspace.schema.md in the skill directory. This file aggregates business-sensitive structural information that could be read by other skills or processes.

LOW Clone activity limited to expected GitHub HTTPS connection 0

Network monitoring confirms the only external connection made during skill installation was to GitHub (140.82.121.4:443) for the sparse checkout. Ubuntu update server connections (91.189.91.48, 185.125.188.x) were pre-existing background system processes unrelated to skill installation. The connection diff shows no new persistent listeners post-install.

INFO Canary file read events attributed to audit framework baseline sweeps 0

Filesystem events show access to .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .gcloud/credentials at timestamps corresponding to the audit framework's pre-install (10:05:56) and post-install baseline operations. The canary integrity check confirms all files remain unmodified and no data was exfiltrated. These reads are not attributable to the skill.