Clawcrm
v1.0.7Agent-native CRM built for AI agents to manage sales pipelines autonomously
⭐ 1· 496·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The skill is a CRM and only requests a single API key (CLAWCRM_API_KEY), which is appropriate for a hosted CRM service. The SKILL.md shows API calls to the ReadyCRM/readycrm.netlify.app endpoints which align with the described CRM functionality (create leads, enrichment, email sequences).
Instruction Scope
Instructions are network-only curl calls to the service's API and do not ask the agent to read local files or unrelated environment variables. Two small issues: (1) examples use an HTTP header named x-admin-token while the declared primary credential is CLAWCRM_API_KEY — the mapping is implied but not explicit; (2) the skill advertises auto-enrichment using third-party sources (Apollo.io, 'Google Deep Search') which means the service will query external data about leads — a privacy and compliance consideration, though expected for enrichment features.
Install Mechanism
No install spec or code is included; this is instruction-only (lowest install risk). Nothing is downloaded or written to disk by the skill's metadata.
Credentials
Only one env var is required (CLAWCRM_API_KEY), which is proportional. The SKILL.md examples use a header named x-admin-token instead of explicitly referencing CLAWCRM_API_KEY, which is a minor inconsistency that should be clarified so the agent doesn't inadvertently expose or mishandle credentials.
Persistence & Privilege
The skill does not request always:true and is not requesting system-level persistence or modifications to other skills. It is user-invocable and can be invoked autonomously (default), which is normal for skills; consider the implications of granting autonomous agent actions that send emails and create leads.
Assessment
This skill appears to be what it says: an instruction-only wrapper around a hosted CRM service. Before installing: (1) Verify the service domain and ownership (clawcrm.ai vs readycrm.netlify.app / GitHub repo link) to ensure you trust the provider. (2) Understand privacy: auto-enrichment will fetch third-party data about leads (Apollo, web searches) — confirm this is acceptable for your data handling policies and regional regulations (e.g., GDPR, CAN-SPAM). (3) Confirm how your CLAWCRM_API_KEY is used: the examples use an x-admin-token header, so map the env var safely and avoid exposing keys in logs. (4) Be cautious granting autonomous agent permissions because the skill can send outbound emails and modify CRM data — consider limiting scope, monitoring actions, and rotating the API key regularly. If you want higher confidence, ask the publisher for the canonical API domain, a short privacy/data-flow document, and the exact header-to-env-var mapping the agent should use.Like a lobster shell, security has layers — review code before you run it.
latestvk977p8y3mgz5j47pkyrf6h7zqn81yevy
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
EnvCLAWCRM_API_KEY
Primary envCLAWCRM_API_KEY