ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Nex Crm

v1.0.0

Chat-native Customer Relationship Management system designed for one-person agencies, freelancers, and small Belgian businesses managing multiple client rela...

1· 21·0 current·0 all-time
byNex AI@nexaiguy
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the code and CLI: a local, Python-based CRM that stores data under ~/.nex-crm and provides add/list/show/log/export/pipeline commands. Requiring python3 and writing a venv and CLI wrapper in the user's home is proportionate to the stated purpose.
Instruction Scope
SKILL.md instructs the agent to run setup.sh and the provided CLI only; the README and code explicitly state data is local. However config.py reads optional AI_API_KEY / AI_API_BASE / AI_MODEL environment variables and comments that external calls may occur if the user configures an LLM provider — this is not automatically active but is a capability the user should be aware of.
Install Mechanism
No registry install spec; setup.sh is provided and creates ~/.nex-crm, a Python venv, initializes the DB, and writes a wrapper to ~/.local/bin. The installer is local and does not download arbitrary code from remote URLs (it uses only python -m venv and pip upgrade). Writing to ~/.local/bin and ~/.nex-crm is expected for a CLI tool, but the script runs with standard file system write privileges in your home directory.
!
Credentials
The skill requires no credentials by default (good). But config.py reads AI_API_KEY, AI_API_BASE and AI_MODEL from environment if set — those would enable external AI calls. The SKILL.md states 'no data is sent externally' but implicitly allows external calls if the user configures an LLM provider; installing without setting those env vars is safe from network exfiltration, but enabling them would permit outbound data (likely including prospect text) to the configured provider.
Persistence & Privilege
always:false and default autonomous invocation are normal. The installer creates persistent data in the user's home and a CLI wrapper; that is appropriate for a local CLI app and is scoped to the installing user. The skill does not request system-wide elevated privileges.
What to consider before installing
This skill is largely coherent with its stated purpose (a local Python CLI CRM). Before installing, review the code and be aware of two things: 1) config.py will use AI_API_KEY/AI_API_BASE/AI_MODEL from your environment if you set them — that will enable outbound calls and could send prospect text to third-party LLMs, so do not set those unless you accept that. 2) The provided source shows several apparent code-quality issues / truncation (typos like 'fetchal', truncated lines in files, and imports of functions that may be missing), which could cause runtime errors. I recommend: (a) inspect the full files locally (search for any network libraries like requests/urllib or hardcoded endpoints) before running, (b) run setup.sh in a controlled environment (or inside a disposable container/VM) to observe behavior, (c) back up any existing data, and (d) only set AI-related env vars after auditing what data would be sent and to which endpoint.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a6pycqrxz79hy6f8pnefzh1849h0m

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

💼 Clawdis
Binspython3

Comments