Is lucas-riverbi/salesforce-skill safe?

https://github.com/openclaw/skills/tree/main/skills/lucas-riverbi/salesforce-skill

79
CAUTION

The salesforce-skill is a legitimate Salesforce CRM integration wrapping the official sf CLI with clean SKILL.md documentation containing no prompt injection payload, and a normal git install with no unexpected network activity or file system changes. However, the skill by design grants the agent unrestricted SOQL query access, CSV export, and bulk delete/import operations on the Salesforce org, creating significant data exfiltration and data destruction risk if the agent is manipulated through adversarial prompts or compromised user input. The helper bash script additionally contains SOQL injection and argument injection vulnerabilities that could be exploited when user-controlled strings are passed to the search and create functions.

Category Scores

Prompt Injection 94/100 · 30%
Data Exfiltration 62/100 · 25%
Code Execution 70/100 · 20%
Clone Behavior 88/100 · 10%
Canary Integrity 93/100 · 10%
Behavioral Reasoning 62/100 · 5%

Findings (8)

HIGH Unrestricted SOQL query enables full CRM data dump -22

The 'query' and 'query-json' commands in both SKILL.md and salesforce-helper.sh accept arbitrary SOQL with no restrictions on scope, object, or record volume. An agent operating under malicious instructions or prompt injection from a separate channel could trivially dump all contacts, leads, accounts, and opportunities. The skill explicitly documents exporting query results to CSV files, making bulk data harvest a single-step operation.

HIGH Bulk delete operation exposes CRM to mass data destruction -16

The helper script and SKILL.md both document bulk delete via CSV, enabling an agent to delete entire object datasets in a single command. No dry-run requirement or confirmation mechanism is enforced by the skill. Under adversarial prompt control or misuse, this could permanently destroy business-critical CRM records.

MEDIUM SOQL injection via unescaped user input in search functions -18

The search-contacts and search-accounts functions in salesforce-helper.sh interpolate the $SEARCH positional parameter directly into SOQL WHERE clauses without any escaping or validation. A crafted input containing SOQL metacharacters (single quotes, SOQL keywords) could manipulate query logic, bypass filters, or return unintended records from the Salesforce org.

MEDIUM Argument injection via unquoted ORG_FLAG expansion -12

The ORG_FLAG variable is built by string concatenation and then expanded unquoted in every sf CLI invocation throughout the helper script. If the SALESFORCE_TARGET_ORG environment variable contains whitespace or shell-special characters (e.g., injected by a prior skill or compromised environment), additional CLI flags or subcommands could be injected into sf calls.

MEDIUM Skill enables full CRM access — high blast radius under adversarial prompt control -38

The skill is a legitimate Salesforce integration, but its design gives the agent unrestricted read/write/delete access to the entire Salesforce org. If an adversarial user prompt, injected content from a Salesforce record, or a chained skill manipulates the agent, the resulting actions could exfiltrate all customer data or destroy CRM records. The skill's utility commands (query, query-json, bulk operations) are particularly dangerous under misuse scenarios.

LOW Canary files accessed post-install (read-only, audit infra attribution) -12

Inotify and auditd logs show read-only opens of .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCP credentials at two timestamps: pre-clone (T1771931694, consistent with audit framework canary creation) and post-install (T1771931717, consistent with post-install integrity verification). All events are CLOSE_NOWRITE with no network egress following. Attribution to the skill rather than the oathe audit infrastructure is not supported by the evidence, but the pattern warrants explicit notation.

LOW Post-install canary reads are read-only with no follow-on exfiltration -7

Canary files were opened read-only after install completion. All access events are CLOSE_NOWRITE; no write syscalls or network connections to external IPs followed. The integrity check confirms file contents unchanged. This is consistent with audit framework operation rather than skill-driven exfiltration, but is noted for completeness.

INFO SKILL.md contains no prompt injection payload 0

Full review of SKILL.md found only legitimate CLI reference documentation, SOQL query patterns, error handling guidance, and standard frontmatter. No override instructions, instruction-suppression language, persona-switching, hidden unicode characters, or attacker-controlled external URLs were found.