Salesflare CRM
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a coherent Salesflare CRM API helper, but it needs a Salesflare API key and can make CRM changes when the user confirms them.
Install only if you intend to let the agent use your Salesflare API key. Treat read results as potentially sensitive customer data, confirm every write/delete with exact IDs and payloads, and inspect the smoke-test script before running write-mode tests because part of the supplied source view was truncated.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If confirmed, the skill can create, update, or delete CRM data such as accounts, contacts, opportunities, tasks, tags, and related records.
The skill intentionally exposes high-impact CRM mutation operations, but it also clearly instructs the agent to get explicit user confirmation before writes or deletes.
Full Salesflare API operations skill for reading, searching, creating, and updating CRM data... **Always confirm intent with the user before executing POST, PUT, PATCH, or DELETE.**
Only approve write or delete commands after checking the target path, IDs, and payload; avoid broad or bulk mutations unless you explicitly intend them.
Anyone or anything using the configured API key can access and mutate Salesflare data according to that key's permissions.
The helper uses a bearer API key for authenticated Salesflare requests, and the destination can be overridden for testing; this is expected for the integration but should remain limited to trusted Salesflare or staging endpoints.
ap.add_argument("--base-url", default=os.environ.get("SALESFLARE_BASE_URL", DEFAULT_BASE)) ... req.add_header("Authorization", f"Bearer {api_key}")Use the least-privileged Salesflare API key available, keep it out of shared logs, and do not set --base-url or SALESFLARE_BASE_URL to an untrusted domain.
Users have less external context for who maintains the skill or where updates come from.
The registry metadata does not provide a public source or homepage, which limits provenance review, although the provided scripts are included and no install-time dependency download is shown.
Source: unknown; Homepage: none
Review the included scripts before use, especially before running smoke-test write modes or using production CRM credentials.