Gtm System
PassAudited by ClawScan on May 10, 2026.
Overview
The skill appears to be a coherent GTM tracker with disclosed local storage, public-source crawling, Telegram notifications, and scheduled jobs, with no artifact-backed hidden exfiltration or destructive behavior.
This skill looks reasonable for a lightweight local GTM tracker. Before installing, be comfortable with it storing contact and opportunity data in a local SQLite database, running public-source crawls, and possibly sending scheduled digests through Telegram if those jobs are configured.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or overly broad user instruction could alter local pipeline/contact records or initiate public-source crawling.
The CLI can change local GTM records and run external signal crawls. These capabilities are central to the skill's stated purpose and are documented as user-invoked commands.
python3 scripts/gtm.py add-contact ...; python3 scripts/gtm.py add-opp ...; python3 scripts/gtm.py move-stage 1 evaluation; python3 scripts/gtm.py crawl
Use clear confirmations for record-changing actions, keep backups of the SQLite database, and review crawler results before acting on them.
It may be harder for a user to verify where the script came from or how it will be maintained.
The skill includes a runnable Python script but has limited provenance metadata and no homepage. No remote install or suspicious dependency behavior is shown.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill; Code file presence: scripts/gtm.py
Install only from a trusted owner, and review the bundled script before relying on it for business records.
Business relationship data and contact details may persist across sessions in the local workspace.
The skill persistently stores GTM information in a local SQLite database, likely including contacts, opportunities, reminders, and interaction history.
Database Location `/home/daaronch/.openclaw/workspace/gtm-system/data/gtm.db` (SQLite)
Protect the workspace permissions, avoid storing secrets in notes, and delete or archive the database when it is no longer needed.
Pipeline summaries, reminders, or contact-related business information could be visible through the configured Telegram bot or chat.
The skill documents a Telegram notification path for GTM data. This is disclosed and purpose-aligned, but Telegram is an external messaging channel.
Sends notifications via your existing Telegram bot
Use a private bot/chat, verify who can access the Telegram channel, and avoid sending confidential customer details unless appropriate.
If configured, the skill may run crawls and send digests without a fresh manual prompt each time.
The artifacts describe scheduled automation for crawling and digest generation. It is disclosed and aligned with the GTM workflow, but it is persistent autonomous activity.
Daily cron jobs - Morning crawl (6am PT) + digest (8:30am PT)
Review the configured cron jobs, disable them if unwanted, and ensure scheduled notifications go only to intended recipients.