Is jaybna/dex-crm safe?

https://github.com/openclaw/skills/tree/main/skills/jaybna/dex-crm

89
SAFE

The jaybna/dex-crm skill is a straightforward Dex Personal CRM integration with clean SKILL.md content — no prompt injection, hidden instructions, persona changes, or suspicious directives were found. Installation accessed only GitHub and Ubuntu infrastructure, canary files were untouched, and the included dex-cleanup.py script communicates exclusively with api.getdex.com using only Python stdlib. The residual risks are inherent to any CRM integration: the agent gains access to sensitive personal contact PII and documented DELETE operations across all resource types, and the bundled bulk-archive script executes without an in-script confirmation gate.

Category Scores

Prompt Injection 93/100 · 30%
Data Exfiltration 87/100 · 25%
Code Execution 82/100 · 20%
Clone Behavior 93/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 80/100 · 5%

Findings (8)

MEDIUM Executable bulk-archive Python script included -10

scripts/dex-cleanup.py is a runnable program that pages through all Dex contacts and archives those matching junk-sender patterns. It uses only Python stdlib, has a --dry-run flag, and communicates solely with api.getdex.com. No malicious behavior detected, but the presence of executable automation in a skill package warrants explicit user awareness.

MEDIUM Full contact PII accessible and processed in agent context -8

The skill enables the agent to retrieve all contact fields including phones, emails, birthdays, and five social media handles. This PII will enter the agent context window on every contact query and is an attractive target if a co-installed skill is malicious.

MEDIUM CRM enumeration vector when combined with exfiltrating skill -12

The skill's read-all-contacts capability creates a latent lateral-attack path. If a second skill were to exfiltrate data, the CRM integration provides full access to the user's personal and professional network. The risk is combinatorial, not intrinsic to this skill alone.

LOW Mass archive executes without in-script user confirmation -8

Running dex-cleanup.py without --dry-run immediately archives all matched contacts with no interactive prompt. The agent is instructed to confirm before mutations in SKILL.md, but this is a convention, not a technical enforcement.

LOW DELETE operations on all resource types with no guard rails -8

The skill documents DELETE endpoints for contacts, notes, and reminders. An adversarial instruction injected via a user message or another skill could trigger deletion of CRM records, which may be difficult to recover depending on Dex's retention policy.

LOW Cleanup script performs unbounded full-contact-list fetch -5

dex-cleanup.py iterates through all contacts with no maximum page limit. The entire contact database is held in memory during filtering. All data stays within the local process and the getdex.com API; no exfiltration path found.

INFO Monorepo sparse-checkout install — expected network activity only -7

Install used sparse-checkout from the openclaw/skills GitHub monorepo. Observed network connections were limited to GitHub and Ubuntu infrastructure. Connection diff shows no new persistent listeners or connections added post-install.

INFO Bulk contact fetch required for name search -4

The API's email-only search constraint forces the agent to download batches of 50–100 contacts for local name filtering. This is transparently documented and not an injection risk, but it means large contact sets traverse the agent context on name lookups.