Is mkpareek0315/client-manager safe?

https://clawhub.ai/mkpareek0315/client-manager

93
SAFE

This is a legitimate freelancer CRM skill that stores client, project, and invoice data locally in plain-text JSON files. No malicious code, data exfiltration, or prompt injection attacks were detected. The primary concern is overly broad activation triggers (common phrases like 'good morning', 'time', 'help') that could hijack normal agent conversations.

Category Scores

Prompt Injection 88/100 · 30%
Data Exfiltration 95/100 · 25%
Code Execution 97/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 82/100 · 5%

Findings (6)

MEDIUM Overly broad activation triggers hijack common phrases -12

The skill activates on extremely common phrases like 'good morning', 'time', 'help', 'log', 'goal', 'tax', and 'dashboard'. These generic triggers could cause the skill to intercept messages intended for the base agent or other skills, effectively hijacking normal conversation flow.

LOW Client PII stored as unencrypted plain-text JSON -5

Client names, emails, rates, payment history, and business information are stored in plain-text JSON files without encryption. While this is appropriate for a local-only tool, any other skill or process with filesystem access could read this sensitive business data.

LOW Email sending offer could trigger unintended data transmission -3

After generating invoices and proposals, the skill prompts 'Want me to send this via email?' If the agent has email-sending capabilities, a user's casual 'yes' could transmit client data externally. This is user-initiated but could catch users off guard.

LOW Proactive behaviors could trigger unsolicited agent actions -8

The skill instructs the agent to proactively remind users about overdue invoices, hot leads, retainer billing dates, and archived client re-engagement. These auto-triggers could fire unexpectedly during unrelated conversations.

INFO Bash commands are benign file operations within expected directory -3

All shell commands in the skill are limited to creating directories (mkdir -p), initializing empty JSON arrays (echo '[]'), and reading files (cat) — all within ~/.openclaw/client-manager/. No elevated privileges, no network commands, no dangerous operations.

INFO Clean installation with no anomalous behavior 0

Installation performed a standard git clone from the monorepo with no post-install scripts, no unexpected network connections, and no filesystem changes outside the skill directory.