bigin-crm-skill
ReviewAudited by ClawScan on May 10, 2026.
Overview
This appears to be a legitimate Bigin CRM connector, but it grants broad CRM OAuth access and includes bulk or automated changes to business records without clear safeguards.
Review this skill carefully before authenticating. It looks purpose-aligned for Bigin CRM, but only grant it access if you are comfortable with broad CRM permissions and make sure destructive, bulk, or automated changes require your explicit approval.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken prompt, broad criterion, or unintended invocation could update many CRM opportunities, assignments, or follow-up tasks.
The skill documents automated and bulk-changing CRM workflows, including moving pipeline stages to Closed Won, but the provided instructions do not show confirmation, dry-run, rollback, or bounded approval controls.
bigin automation advance --auto-advance --criteria "proposal-sent-and-7-days" ... bigin pipeline bulk-update --stage "Negotiation" --new-stage "Closed Won" --criteria "probability-gt-80"
Require explicit user confirmation for bulk, delete, win/loss, and automation actions; provide dry-run previews, record counts, and rollback guidance.
Installing and authenticating gives the skill durable authority over a broad portion of the user's Bigin CRM account.
The OAuth flow requests broad Bigin module/settings authority, persists tokens locally, and binds the temporary callback server on all interfaces rather than just loopback.
self.scope = "ZohoBigin.modules.ALL,ZohoBigin.settings.ALL,ZohoBigin.org.READ"
...
self.token_file = self.token_dir / "bigin-crm.json"
...
with socketserver.TCPServer(("", 8888), CallbackHandler) as httpd:Use the narrowest Bigin scopes possible, declare OAuth credentials in metadata, bind callbacks to 127.0.0.1, add an OAuth state parameter, and clearly explain token storage and revocation.
Email contents or sender details could be copied into CRM records or used in replies if the user enables that workflow.
The documented optional workflow moves email-derived information into CRM and can send a reply through another skill, but the artifacts do not define data-boundary or approval details for that cross-skill flow.
Integration with Zoho Email Skill ... Extract sender info → Create/update contact ... Create pipeline entry if none exists ... Reply with acknowledgment
Use this workflow only with explicit user approval, and define what email fields may be read, stored, and sent.