Back to skill
Skillv1.0.0
ClawScan security
Nex Crm · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 29, 2026, 12:49 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, runtime instructions, and install steps are consistent with a local CLI CRM: it stores data under ~/.nex-crm, requires only python3, and does not request unexplained credentials or network installs.
- Guidance
- This package appears internally consistent and implements a local CLI CRM. Before installing: (1) review and accept that it will create ~/.nex-crm (data, venv, exports) and a CLI wrapper at ~/.local/bin/nex-crm; (2) if you later set AI_API_KEY or AI_API_BASE, that enables external LLM calls — only set them if you trust the provider; (3) run setup.sh in a user context (it does not require root) and consider running it in a sandbox or VM if you want extra caution; (4) note minor code quality issues (e.g., a likely typo in storage.py that could cause runtime errors) — not malicious but you may want to review or test before relying on production data; (5) back up your ~/.nex-crm/crm.db before bulk operations. Overall, the requests and actions line up with the claimed CRM functionality.
Review Dimensions
- Purpose & Capability
- okName/description (lightweight local CRM) matches the requested binaries/files and the code: only python3 is required, data is kept under a local data directory, and features in SKILL.md map to implemented CLI commands and DB tables.
- Instruction Scope
- okSKILL.md instructs the agent/user to run setup.sh and use the local CLI; runtime instructions and code operate on a local SQLite DB and do not instruct reading unrelated system files or contacting external endpoints unless a user explicitly sets AI_API_KEY/AI_API_BASE.
- Install Mechanism
- okInstaller is a local shell script (setup.sh) that creates a venv, initializes the DB, and installs a wrapper in ~/.local/bin. No remote downloads, package registry installs, or obscure URLs are used.
- Credentials
- okNo required environment variables are declared. The code references optional AI_API_KEY/AI_API_BASE/AI_MODEL for optional LLM integration — this is justified and only used if the user sets them; otherwise no credentials are needed.
- Persistence & Privilege
- okThe skill is not configured as always:true and does not modify other skills. It writes its own data under ~/.nex-crm and installs a user-level CLI wrapper in ~/.local/bin — reasonable for this purpose.