Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Tmp Skill
v1.0.0CRM integration, lead tracking, outreach automation, and pipeline management. Transform your AI agent into a sales assistant that never lets leads slip throu...
⭐ 0· 309·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The SKILL.md advertises CRM integration, outreach automation, and pipeline management. The included scripts (sales-init.sh, lead-tracker.sh, pipeline-report.sh) only create and manipulate local markdown files under ${HOME}/.openclaw/workspace/sales and generate reports/templates — there are no API calls, no email sending, and no code to integrate with HubSpot, Salesforce, Notion, or any CRM. This is a substantive mismatch between claimed capabilities and actual functionality. Additionally, registry metadata (skill slug/owner) differs from _meta.json values, suggesting the package may have been repackaged or mislabeled.
Instruction Scope
Runtime instructions tell the agent (or user) to run the included shell scripts and to edit a TOOLS.md to configure CRM preferences. The scripts only read/write files under ~/.openclaw/workspace/sales (create directories, templates, and markdown leads), which is within scope for a local lead tracker. However, the instructions give the impression of external CRM integration and automated outreach; there are no instructions or code for network calls, credentials handling, or external endpoints. The instruction set therefore overpromises and is misleading.
Install Mechanism
No install specification; this is effectively an instruction + script bundle. No downloads, no package installs, and nothing will be written outside the user's home directory except files created under ~/.openclaw/workspace/sales. From an install-risk perspective this is low, but users should still review scripts before running.
Credentials
The skill declares no required environment variables or credentials, which matches the included scripts (they do not read external API keys). Note that the SKILL.md suggests configuring CRM tooling (e.g., HubSpot/Salesforce) — if you later add credentials to TOOLS.md or other local files, those would be sensitive and the skill provides no secure handling for them.
Persistence & Privilege
always is false and the skill is user-invocable. The scripts create files under ~/.openclaw/workspace/sales and do not modify other skills or system-wide settings. This level of persistence and privilege is appropriate for a local tracker.
What to consider before installing
This package is misaligned with its marketing: it mostly provides a local markdown-based lead tracker and report templates, not real CRM connectors or outbound automation. Before installing or running anything: 1) Inspect the three scripts yourself (they are plain bash and safe-looking) and confirm you are comfortable with them writing to ~/.openclaw/workspace/sales. 2) Do not place API keys, passwords, or other secrets into TOOLS.md or plain templates — the skill has no secret-management behavior. 3) If you expected HubSpot/Salesforce/Notion integration or automated emailing, ask the publisher for details or an implementation that shows safe network calls and required credentials. 4) Note the metadata mismatch (skill registry name/owner vs _meta.json) — treat that as a sign to verify the source/author before trusting the package.Like a lobster shell, security has layers — review code before you run it.
latestvk970tae5xms32xfaa1c3bgxq5n8211jz
License
MIT-0
Free to use, modify, and redistribute. No attribution required.