Latest release: v0.0.1Download zip
Capabilities
Compatibility
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The bundle purpose is broadly Salesforce-focused and the manifest contains many Salesforce sub-skills and assets. That is coherent with the stated purpose, but broader than a single narrow skill.
Instruction Scope
The visible sub-skill instructions are generally scoped to Salesforce diagram/documentation work. A pre-scan prompt-injection pattern was reported, but no visible source snippet shows a host/evaluator override, so it was not escalated.
Install Mechanism
No install spec or lifecycle scripts are declared, and the visible package metadata does not show dependency installation or automatic execution.
Credentials
Registry metadata declares no required credentials or environment variables. Some visible OAuth documentation uses placeholder Salesforce keys, secrets, and tokens, which is purpose-aligned but sensitive if users replace them with real values.
Persistence & Privilege
The OAuth reference material discusses refresh tokens and secure token storage, but the provided artifacts do not show hidden persistence or automatic credential storage by the skill itself.
Scan Findings in Context
[pre-scan:you-are-now] expected: A generic prompt-injection phrase was reported, but the provided visible source does not show an instruction attempting to control this review or override the host agent.
[static-scan:clean] expected: The supplied static scan reported no suspicious patterns.
What to consider before installing
This appears safe to install as a Salesforce template/documentation bundle, but use care with sub-skills that touch a real Salesforce org. Review generated code and metadata before applying it, prefer sandboxes for testing, and keep OAuth secrets and refresh tokens out of prompts, logs, and shared files. ClawScan detected prompt-injection indicators (you-are-now), so this skill requires review even though the model response was benign.