crm-sync
Warn
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes a local script
crm-sync.pyvia subprocess to perform CRM status checks and deduplication tasks. This execution path handles various actions (--action get-crm-status,--action check-dedup) that are not defined within the skill's source code. - [DATA_EXFILTRATION]: The skill accesses several sensitive files located in the user's home directory (
~/.claude-marketing/brands/), including_active-brand.json,profile.json, and_manifest.json. Accessing configuration and profile data from a hidden directory involves the exposure of brand-specific metadata and potentially sensitive context. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to its core functionality of ingesting external data.
- Ingestion points: Processes data from CSV file paths and JSON arrays provided by the user or external platforms.
- Boundary markers: No specific delimiters or instructions to ignore embedded natural language commands are defined for the data processing phase.
- Capability inventory: Includes subprocess execution (
crm-sync.py), file system read operations, and network API requests to CRM providers (Salesforce, HubSpot, Zoho, Pipedrive). - Sanitization: While the skill validates formats (email, phone), it lacks mechanisms to sanitize or filter out malicious natural language instructions hidden within the ingested record fields.
Audit Metadata