Back to skill
Skillv1.0.0
ClawScan security
Openclaw Perfexcrm Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 15, 2026, 1:49 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and instructions are consistent with its stated purpose (managing PerfexCRM via its API) and request only the expected tools and credentials.
- Guidance
- This skill appears coherent and focused on calling the PerfexCRM API. Before installing: (1) confirm you trust the skill source (homepage/repo links provided) and only set PERFEXCRM_API_KEY for agents you trust; (2) create and use a least-privilege API key in PerfexCRM (limit scopes and/or IPs if possible); (3) ensure PERFEXCRM_API_URL uses HTTPS and points to your intended installation; (4) do not paste your API key into public chats — supply it via the platform's secret management only; (5) monitor API logs and rotate the key regularly; (6) if you need stronger isolation, create a dedicated PerfexCRM user/API key for this skill and limit its permissions. Confidence in this assessment is high because the SKILL.md is concrete, uses only the declared env vars and curl, and there are no install scripts or unexpected requirements.
Review Dimensions
- Purpose & Capability
- okName/description promise CRUD access to PerfexCRM resources; the skill only requires curl and the Perfex API URL and key. These are exactly what an API-integration skill needs.
- Instruction Scope
- okSKILL.md contains concrete curl examples that exclusively call endpoints under PERFEXCRM_API_URL using the declared X-API-KEY header. The instructions do not ask the agent to read unrelated files, other environment variables, or to transmit data to third-party endpoints.
- Install Mechanism
- okNo install spec and no code files — instruction-only. This minimizes disk write/execution risk; the only runtime requirement is curl (declared).
- Credentials
- okOnly two environment variables are required: PERFEXCRM_API_URL and PERFEXCRM_API_KEY. Both are directly relevant and the primary credential is correctly marked as PERFEXCRM_API_KEY. No unrelated secrets or extra credentials are requested.
- Persistence & Privilege
- okalways is false and the skill is user-invocable. It does not request permanent/global agent privileges or modify other skills. Autonomous invocation (disable-model-invocation=false) is the platform default and not itself a red flag here.