Workcrm
v0.1.0-alpha.4A local-first CRM that drafts and requires explicit user confirmation before saving contact or record changes for auditability.
⭐ 0· 737·3 current·3 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The code implements a local-first CRM engine, draft/confirm flow, and local SQLite storage — which aligns with the skill name/description. However SKILL.md claims a CLI (python -m workcrm) and a default DB path (~/.openclaw/workcrm/workcrm.sqlite3) that do not match the package code (no __main__.py/console entrypoint, and profile.resolve_db_path uses ~/.openclaw/data/workcrm/workcrm_work.sqlite). These documentation mismatches mean the declared usage doesn't line up with the included code.
Instruction Scope
SKILL.md references an optional env var WORKCRM_DB_PATH and a CLI invocation that appear to be the intended runtime hooks. The registry metadata declared no required env vars; the codebase itself does not read WORKCRM_DB_PATH and there is no provided python -m entrypoint. The skill does create directories and a local DB under the user's home directory (expected for a local-first CRM) but the doc/code mismatch could lead an agent to attempt commands or env access that won't work or that behave differently than documented.
Install Mechanism
No install spec is provided (instruction-only from registry perspective), but the bundle includes a Python package. Because there is no installer or console_scripts entry in pyproject.toml, the claimed python -m CLI is likely nonfunctional. No remote downloads or third-party install sources are present; all code is included in the skill bundle.
Credentials
Registry metadata lists no required env vars, but SKILL.md mentions WORKCRM_DB_PATH as an override. The code does not appear to require any secrets or cloud credentials; it only uses the filesystem (creating ~/.openclaw/data/workcrm by default). Requesting or documenting an env var without declaring it is a discrepancy the user should note.
Persistence & Privilege
The skill does write persistent data to the user's home directory (creates a data directory and SQLite DB) and retains drafts for auditability — this is coherent with a 'local-first' CRM. always is false and the skill does not modify other skills or system-wide agent settings.
What to consider before installing
This package appears to be a legitimate local CRM implemented in Python and enforces an explicit confirm gate, but the runtime docs don't fully match the code. Before installing or enabling auto-invocation, consider: 1) The SKILL.md CLI (python -m workcrm) likely doesn't exist (no __main__ or console script); try importing WorkCRMEngine/WorkCRMRepo in a sandbox or running the tests instead. 2) The SKILL.md default DB path (~/.openclaw/workcrm/workcrm.sqlite3) differs from the code's default (~/.openclaw/data/workcrm/workcrm_work.sqlite) — confirm where the DB will be created. 3) SKILL.md mentions WORKCRM_DB_PATH, but the package/registry don't declare it — if you rely on an env override, test how the agent will pass it. 4) The skill will create directories and a SQLite DB under your home directory and retain drafts (including rejected drafts) — if that is sensitive, point the skill at a dedicated data directory. 5) There are no network calls or credential requests in the code, which reduces exfiltration risk. If you want to proceed: run the included tests or import the package in an isolated environment to validate behavior, or ask the publisher to fix the SKILL.md / packaging mismatches before enabling the skill for autonomous agent use.Like a lobster shell, security has layers — review code before you run it.
latestvk97c6tf4wz6s83nbakkgbne6n5815qrg
License
MIT-0
Free to use, modify, and redistribute. No attribution required.