ClawAudit verdict
b2b-sdr-agent
Open-source B2B sales agent template with multi-channel CRM capabilities; the WhatsApp IP isolation and multi-tenant deployment features are explicitly documented business features, not deceptive behavior, and there is no evidence of exfiltration or unauthorized data forwarding.
⚠ Flagged for review — coarse, uncorroborated signal, not a confirmed exploit. Review the config yourself before installing.
Automated static analysis — not a human review. ClawAudit flags capabilities, not confirmed intent, and can produce false positives. Disagree with this verdict? Use Dispute below.
Findings (11)
Possible hardcoded credential
ANTI-AMNESIA.md · code · API_KEY: "<from MemOS Dashboard>
Pipe-to-shell pattern (curl | sh) — supply chain attack vector
deploy/deploy.sh · prose · downgraded · curl -fsSL https://deb.nodesource.com/setup_22.x | bash
Pipe to bash — executes piped content as shell commands
deploy/deploy.sh · prose · downgraded · | bash
Accesses OpenClaw config/secrets directly
deploy/UPGRADE.md · code · ~/.openclaw/openclaw.json
References agent memory files
docs/internal/LAUNCH-CONTENT.md · code · MEMORY.md
Python os.environ.get — reads environment variable
ANTI-AMNESIA.md · code · os.environ.get(
Instructs covert action — may act without user awareness
CHANGELOG.md · prose · downgraded · silently
References SSH/GPG private keys
deploy/deploy.sh · prose · downgraded · SSH_KEY
apt-get install — installs system packages
deploy/deploy.sh · prose · downgraded · apt-get install
HTTP request to bare IP address — common in malicious payloads
README.ar.md · prose · downgraded · https://1.1.1.1
Base64 encoding/decoding
workspace/TOOLS.md · code · BASE64_ENCODE
Why the tier is capped
Execution sink present in raw bytes (Hard Floor: class A). Final tier capped at Caution — cannot be lifted by any downgrade, example-payload opt-in, or allowlist.
Permissions & capabilities
No declared permissions — minimal attack surface.
network_in Is this flag fair?
Thanks — recorded.