CRMy
PassAudited by ClawScan on May 10, 2026.
Overview
CRMy appears to be a coherent CRM integration, but it can use a CRMy API key to read and change CRM records, so users should supervise account and pipeline changes.
Install this only if you intend to let OpenClaw manage your CRMy CRM. Confirm important contact, account, opportunity, and pipeline changes before they are written, and make sure the configured serverUrl is a trusted CRMy server using an appropriately scoped API key.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The assistant can make persistent CRM changes, such as creating contacts, updating contact fields, logging activities, and moving relationship or deal state when the workflow calls for it.
The plugin exposes tools that can create and update CRM records through the CRMy API. This matches the stated CRM-management purpose, but it is still meaningful mutation authority over business data.
handler: async (input) => client.post('/contacts', input) ... handler: async ({ id, ...rest }) => client.patch(`/contacts/${id as string}`, rest)Use the skill only if you want the agent to manage CRMy data. Keep human confirmation for important updates, stage changes, and bulk actions, and verify search matches before writing.
Anyone who can direct this skill through the agent can cause authenticated actions against the configured CRMy server within the API key's permissions.
The plugin reads a CRMy API key from configured sources and uses it as a Bearer token for CRMy API requests. This is expected for authenticated CRM access, but the credential grants account authority.
const raw = fs.readFileSync(path.join(os.homedir(), '.crmy', 'config.json'), 'utf-8'); ... const apiKey = pluginConfig?.apiKey ?? process.env.CRMY_API_KEY ?? fileConfig.apiKey ?? ''; ... 'Authorization': `Bearer ${cfg.apiKey}`Use a trusted CRMy server URL, prefer a least-privilege API key, protect ~/.crmy/config.json and CRMY_API_KEY, and avoid running the skill in environments where untrusted prompts can trigger CRM writes.