Client Onboarding Automation
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill’s onboarding purpose is coherent, but it would handle sensitive client data and automate client emails/CRM changes without clear approval, scoping, or retention controls.
Review carefully before installing. Only connect narrowly scoped email and CRM accounts, require approval before messages or record changes, avoid storing payment data in spreadsheets/CRM records, and define secure upload, retention, deletion, and cancellation rules for reminders.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could send messages to clients or change business records in ways the user did not review closely.
This directs the agent toward outbound client emails and CRM/account mutations, but the artifacts do not require approval gates, recipient/template review, rate limits, or rollback.
Welcome email sequences — Send personalized onboarding emails via Resend/SendGrid ... CRM record creation — Auto-create client records with all collected data ... Follow-up reminders — Auto-nudge clients who haven't submitted docs
Require explicit approval before sending emails or modifying CRM/task status; preview recipients and templates, use dry runs, rate limits, audit logs, and reversible changes.
Connecting broad email or CRM credentials could give the workflow more authority than needed for a specific onboarding task.
These credentials can authorize email sending and CRM/Sheets record changes, but the skill does not define least-privilege scopes, target accounts, or permission boundaries, and the registry metadata declares no primary credential.
Requirements - Email provider API key (Resend recommended) - Google Sheets or CRM access for record keeping
Use least-privilege API keys or service accounts, restrict access to specific sheets/projects/templates, and declare the credential requirements and scopes clearly.
Sensitive client documents or payment/health-related information could be placed into CRM or Sheets records without adequate protection.
The workflow contemplates collecting and persisting sensitive identity, payment, contract, and possibly health/insurance information without describing minimization, secure storage, retention, redaction, or compliance safeguards.
"required_docs": ["ID", "contract", "payment_info"] ... CRM record creation — Auto-create client records with all collected data ... Healthcare — Patient intake and insurance verification
Avoid storing payment information directly, use secure document/payment collection systems, limit fields copied into CRM, define retention/deletion rules, and add approval before saving sensitive documents.
If implemented with connected tools, reminders could continue running after the initial setup unless the user has a clear way to stop them.
The skill describes delayed and recurring actions, which imply some scheduled or background behavior, but no code implementation is included.
"welcome_sequence": [ { "delay_hours": 0 ... }, { "delay_hours": 24 ... }, { "delay_hours": 72 ... } ] ... Check for Required Documents (daily) ... Send reminder (day 1, 3, 7)Make schedules opt-in, bounded, auditable, and cancellable, with a clear owner and stop condition for each client workflow.