Crm Manager Skill
ReviewAudited by ClawScan on May 10, 2026.
Overview
The CRM purpose is coherent, but customer names are used directly as file paths, so a crafted name could create or modify YAML files outside the intended CRM folder.
Review before installing. The CRM behavior is mostly purpose-aligned and local, but the maintainer should fix filename/path validation before you use it with real data. If you proceed, store it in a trusted workspace, avoid unusual customer names containing slashes or path characters, and protect the YAML customer database.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or accidental customer name containing path syntax could write a YAML file outside the intended customer database folder, or similar scripts could modify existing YAML files outside that folder.
The user-controlled customer name is inserted directly into the filesystem path and then opened for writing, with no rejection of absolute paths, '..', or path separators.
parser.add_argument("name", help="客户姓名") ... file_path = os.path.join(data_dir, f"{name}.yaml") ... with open(file_path, "w", encoding="utf-8") as f:Sanitize customer names before using them as filenames, reject absolute paths and path separators, normalize the final path, and enforce that it remains inside data/customers.
Anyone with access to the skill files or workspace may be able to read stored customer personal and business information.
The skill persistently stores customer contact details, notes, service records, and monetary amounts in local YAML files.
**数据存储:** `data/customers/{name}.yaml` ... phone: 电话号码 ... email: 邮箱地址 ... wechat_id: 微信ID ... notes: 跟进记录列表 ... amount: 涉及金额Use it only in a trusted workspace, keep backups, apply normal access controls, and avoid storing regulated or highly sensitive customer data unless the local environment is protected.
The skill may fail until dependencies are installed, and users may need to make ad hoc package-install decisions without pinned versions.
The included scripts rely on non-standard Python packages, while the registry metadata provides no install spec or dependency declarations.
import jieba import jieba.posseg as pseg
Declare required Python packages and pin versions in an install or requirements file so users can review and reproduce the environment safely.