erxes Skill
WarnAudited by ClawScan on May 13, 2026.
Overview
This looks like a real erxes integration, but it grants broad owner-level business/admin authority and has unclear package provenance.
Review this carefully before installing. It may be useful for erxes administration, but only use it with an account and workspace where you are comfortable letting an agent read and change business records. Confirm the publisher/source mismatch first, and consider using a limited test account rather than an owner account.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If installed, the agent may act with broad admin-level authority over contacts, team members, organization settings, automations, and business records whenever the authenticated account allows it.
The skill directs the agent to operate as an owner by default rather than using a clearly bounded least-privilege scope.
Assume OpenClaw is operating as the erxes owner unless the live API proves otherwise.
Use only with an erxes account you are comfortable delegating to the agent, and prefer a limited-scope test account. The publisher should declare required OAuth scopes and remove the default owner-mode assumption.
A mistaken interpretation could create or modify important business records, team settings, automations, or operational data without a final review prompt.
Create and update operations over broad business/admin objects do not require a final explicit confirmation when the skill thinks the fields are clear.
For create or update, if the target record or required fields are unclear, summarize the planned change and ask only for the missing information.
Require explicit confirmation for all write mutations, especially organization, team-member, automation, financial, contract, invoice, and bulk-update workflows.
The package identity and provenance are unclear, which matters more because this skill can receive OAuth tokens and perform high-impact account mutations.
The supplied registry metadata identifies the evaluated skill as erxes-skill version 1.0.0, while embedded metadata and origin files identify erxes-next version 1.0.4.
"slug": "erxes-next", "version": "1.0.4"
Do not install until the publisher reconciles the registry metadata, embedded metadata, and origin file, and provides a clear source/homepage.
Running login invokes local shell tooling and contacts the erxes URL you provide.
The skill includes a shell-based OAuth helper that makes network requests and opens a browser URL; this is disclosed and aligned with the login purpose.
curl -sf -X POST "$BASE/oauth/device/code" ... open "$URI" 2>/dev/null || true
Run the login helper only for erxes instances you trust, and verify ERXES_BASE_URL before authenticating.