Dex CRM
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: dex-crm Version: 1.0.0 The skill bundle is designed to manage Dex CRM contacts, notes, and reminders, which aligns with its stated purpose. All network requests in `SKILL.md` and `scripts/dex-cleanup.py` are directed to the legitimate `https://api.getdex.com` domain and use the `DEX_API_KEY` as expected. The `dex-cleanup.py` script, while performing bulk archiving of contacts, is transparent, includes a dry-run option, and its logic for identifying 'junk' contacts is clearly defined. There is no evidence of data exfiltration to unauthorized endpoints, malicious execution of remote payloads, persistence mechanisms, or prompt injection attempts designed to subvert the agent's intended behavior or access unrelated sensitive data.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any agent workflow using this key can access the Dex account according to the key’s permissions.
The skill needs a Dex API key that grants delegated access to the user’s CRM account. This is expected for the integration, but it is sensitive account authority.
Set `DEX_API_KEY` in gateway config env vars.
Use a dedicated or revocable Dex API key if available, store it only in the intended gateway config, and remove or rotate it when no longer needed.
Mistaken or over-broad instructions could change or delete contacts, notes, or reminders in Dex.
The skill exposes write and delete CRM operations. The confirmation instruction is a good control, but these actions can permanently affect account data.
Always confirm before creating, updating, or deleting contacts/notes/reminders
Confirm record IDs and intended changes before allowing create, update, or delete operations, especially for deletes or bulk edits.
A false positive in the junk-contact heuristic could archive real contacts in Dex.
The included cleanup script can bulk archive contacts selected by heuristics. README.md documents a dry-run mode, but a normal run performs account mutations.
api_put(f"/contacts/{j['id']}", {
"changes": {"is_archived": True}
})Run `python3 scripts/dex-cleanup.py --dry-run` first, review the listed contacts, and only run the non-dry-run command if the results are acceptable.
Personal contact information may be shown to or processed by the agent during CRM tasks.
The skill may retrieve personal CRM details and notes into the agent context. This is expected for a CRM skill, but the data can be sensitive.
Look up contact details (phone, email, birthday)
Use the skill only in trusted conversations and avoid asking it to retrieve more contact data than needed.
Users have less external context for verifying authorship or updates.
The registry does not provide upstream provenance. No risky install step or hidden dependency is shown, so this is a provenance notice rather than a behavioral concern.
Source: unknown Homepage: none
Review the included SKILL.md and script before use, and prefer installing from a trusted publisher or verified source when available.