HK3 CRM 安装器
WarnAudited by ClawScan on May 11, 2026.
Overview
The installer mostly matches its stated purpose, but it downloads mutable remote code, installs dependencies, and starts a background CRM service without pinning, containment, or a clear stop path.
Install only if you trust and have reviewed the GitHub repository and its Python dependencies. Prefer running it in a virtual environment or container, back up any CRM data, and make sure you know how to stop the background service before using it with real customer information.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the remote repository or its dependency list changes or is compromised, installing the skill could run unreviewed code on the user's machine.
The installer pulls application code and dependency instructions from a mutable remote repository that is not included in the reviewed artifacts or pinned to a commit/tag.
REPO_URL="https://github.com/jiangyisheng9-bot/hk3-crm.git" cd "$WORKSPACE" && git clone "$REPO_URL" pip3 install -r requirements.txt -q
Pin the repository to a reviewed commit or release, include a lockfile, install in a virtual environment/container, and ask the user to confirm before fetching and installing remote code.
The downloaded CRM code runs locally with the user's permissions, which can affect files, network access, and the local environment depending on the remote app code.
After cloning the remote repository and installing dependencies, the script immediately executes the downloaded Python application.
nohup python3 app.py > /tmp/hk3-crm.log 2>&1 &
Require explicit user approval before first run, review the remote app code, and run it with least privilege in an isolated environment.
The CRM service may continue running and listening locally after the user expects installation to be finished, consuming resources or exposing the app on the configured port.
The installer leaves a long-running background service active after the setup command completes, with only a PID file and no documented stop or cleanup process.
nohup python3 app.py > /tmp/hk3-crm.log 2>&1 & CRM_PID=$! echo $CRM_PID > "$CRM_DIR/.pid"
Document and provide a stop/uninstall command, show the PID and log location to the user, and make background startup an explicit choice.