Client Onboarding Automator
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill is coherent for client onboarding, but it can automatically send client emails, create contracts and Stripe payment links, and update business systems without clear approval or credential boundaries.
Review carefully before installing. This skill is useful for a real onboarding workflow, but you should require manual approval before any email, contract, payment link, CRM update, or project setup; use restricted credentials; and confirm how client data is stored and removed.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken, spoofed, or malicious inquiry could cause the agent to contact people, create business documents, generate payment links, or alter workspace/CRM data without review.
External email or webhook input can start a workflow that later sends acknowledgments, generates proposals and contracts, creates Stripe payment links, sends welcome emails, and updates project systems, but the artifact does not require human approval or validation before these high-impact actions.
When a new inquiry arrives (email matching pattern, form webhook, or manual trigger)
Add explicit approval checkpoints before sending emails, issuing contracts, creating payment links, updating the CRM, or creating project resources; validate sender identity and allowed services/packages before acting.
If installed without careful configuration, the agent may receive broad payment-account authority without clear limits on what it can create or send.
The configuration example expects a live Stripe secret key for payment collection, but the metadata declares no required credentials or environment variables and the skill does not define storage, scoping, or least-privilege guidance.
"stripe_key": "sk_live_..."
Declare required credentials in metadata, use environment variables or a secrets manager, prefer restricted Stripe keys where possible, and document exactly which account actions the skill may perform.
A single wrong input could cascade into incorrect proposals, payment requests, emails, folders, tasks, reminders, and CRM records.
The artifact explicitly describes an end-to-end automated workflow with no manual steps, so one bad parse or unauthorized trigger could propagate into multiple downstream systems.
"description": "Automate client onboarding: intake processing, contract generation, Stripe payment collection, welcome email sequences, and project setup. Zero manual steps from inquiry to kickoff."
Break the workflow into staged approvals, keep audit logs, add dry-run mode, and provide a simple way to cancel or roll back generated records and scheduled messages.
Client details may be retained in CRM or project systems and reused later, so incorrect or sensitive information could persist.
The workflow stores client information such as names, emails, budgets, timelines, and special requirements in persistent business systems; this is purpose-aligned but involves personal and commercial data.
CRM Update — Logs client details in your tracking system
Define what client data is stored, where it is stored, who can access it, how long it is retained, and how users can correct or delete generated records.